I'm doing a website where I have a Share button for Google+. I'm trying it in my localhost server and when I click the button, it turns red with an advice. In the advice I read these motives of error:
Server timeout: Check your Internet connection and try refreshing the
page.
Suspended profile: If your profile has been suspended, you
won't be able to +1 content.
Apps user: If your administrator hasn't
enabled Google+ for your domain, you won't be able to sign up for a
Google+ account to use the +1 button.
Blocked cookies: If you've
disabled 3rd party cookies in your browser you won't be able to use
the +1 button.
Logged out: If you've logged out of your account, you
won't be able to use the +1 button.
I checked the different motives and I don't know how I can check the Apps user...
This is expected behavior. Google has to be able to crawl your site to generate the preview snippet for the share. Google cannot crawl your localhost server.
To share pages, the content must be publicly accessible.
Related
We have been working on an app that requires access to a users google calendar. We have been using the grantOfflineAccess() method described in google api's documentation - https://developers.google.com/identity/sign-in/web/reference#googleusergrantofflineaccessoptions
However, the problem we are facing is that this opens a pop up and we need to do this via a redirect. Does anyone have any ideas todo this without a pop up showing up?
Safari and Firefox block pop ups and this does not really work well on safari on mobile.
I was able to find a GitHub issue for this https://github.com/google/google-api-javascript-client/issues/288 but I have seen other websites do this without a pop up. You can check zendesk & frontapp.com - both of whom take offline grant for the users signing in.
Any ideas or help would be appreciated.
The only way to access a users data is to have a user grant you permission to access that data. This is done though Oauth2 a user is promoted to login to their google account then they are given a screen with the scopes of permissions that you are requesting.
There is no way around this. YOu will always have to ask a user at lease once to grant you permission to access their data if you are requesting offline access you will be given a refresh token that you can use to request a new access token and access the users data when they are not online.
As for popups they shouldn't be displaying as popups they should be opening in a new browser window.
Can't login using Google Auth,
Error 403: org_internal
This client is restricted to users within its organization.
Go to cloud console (https://console.cloud.google.com/apis/)
APIs and services
Credentials
Oath consent screen
Ensure Application type is set to "public" and not internal.
Obviously assuming that you are creating an app that should be accessible outside your org. If this is related to testing and phones, it is possible to create testusers that are excepted from company policy rules.
The reason for this error is indeed because the Application type is set to "internal".
But setting it to public is not always the right answer...
Add "&prompt=select_account" to the authentication url. This will force the user to select the correct (organization-)account.
Without the parameter, Google tries to show the consent screen for the logged in Google-account, but as it is not an organization-account it will just display the 403 page without giving the user this choice.
https://developers.google.com/identity/protocols/OpenIDConnect#prompt
I had an Internal app that I was trying to authenticate with one of our YouTube channels using an organization account, and I was getting the same error:
Authorization Error
Error 403: org_internal
This client is restricted to users within its organization.
After contacting Google Workspace Support, they asked me to Change the restriction on it from Limited to Trusted.
Steps are mentioned in this support thread: https://support.google.com/a/answer/7281227
Open the Google Admin Console.
From the sidebar menu, choose: Security → API Controls.
Click on MANAGE THIRD-PARTY APP ACCESS button.
Hover the cursor over the required app and click on Change access.
Choose the option: Trusted: Can access all Google services
And save the CHANGE.
Once you've done, take note that there will be 24 hours of propagation on it before it gradually takes effect.
Make sure, for the browser you are using, that you have logged out of "All" Google account(s). This should force the "select account" windows to display.
We have almost exactly the same problem while trying to configure WP Mail SMTP for Wordpress.
The OAuth Client's Application Type has to be "Internal" so changing it to "External" was not an option for us.
Hope this helps.
I had the same issue and in my case was because the project didn't had a support email address set it.
I fix it by adding one on the Firebase Console > Project Settings > General under the Public settings section.
This error is most likely due to the configuration of your application in Google Cloud Platform.
Setting your application to "internal" is causing this error. Try making your app "external" in the OAuth consent screen, but make sure it is in a "testing" status. Then, add yourself to the test users. This configuration will work well for an internal, lightweight application.
Once complete, try to authenticate with the channel again.
I had the same issue with a project. The error only appeared if I tried to log in to my app while already logged in with an account outside the organization (worked just fine while logged out of all accounts, or while logged in with an internal organization account). I had to change the OAuth Client's Application Type from Internal to Public in the Google Dev Console.
More info can be found at https://support.google.com/cloud/answer/6158849?hl=en
Maybe you have another google email to login, not the correct one.
I'm using Firebase Authentication for my web app, and customizing the redirect domain for Firebase Authentication's Google Sign-In feature so that Google's authentication page will
show Continue to: https://auth.mydomain.com,
instead of Continue to: https://my-app-12345.firebaseapp.com.
So I did four steps according to instructions on Firebase's documentation:
(1) Create a CNAME record for auth.mydomain.com that points to my-app-12345.firebaseapp.com
(2) Add auth.mydomain.com to the list of authorized domains in the Firebase console
(3) In the Google OAuth setup page, whitelist the URL of the redirect page which is https://auth.mydomain.com/__/auth/handler
(4) Edit my app's JavaScript code which initializes Firebase library:
var config = {
...
// from 'authDomain: my-app-12345.firebaseapp.com,'
authDomain: 'auth.mydomain.com',
...
};
After that, however, when my app invokes firebase.auth().signInWithRedirect(provider) method, web browser will show privacy warning like the following:
Your connection is not private
Attackers might be trying to steal your information from auth.mydomain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
...
This server could not prove that it is auth.mydomain.com; its security certificate is from firebaseapp.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Proceed to auth.mydomain.com (unsafe)
And certificate information is as follows:
firebaseapp.com
Issued by: Google Internet Authority G3
Expires: Tuesday, 13 November 2018
This certificate is valid.
Details
Subject Name
Country: US
State/Province: California
Locality: Mountain View
Organization: Google Inc
Common Name: firebaseapp.com
And below is URI:
https://auth.mydomain.com/__/auth/handler?apiKey=apiKey&appName=%5BDEFAULT%5D&authType=signInViaRedirect&providerId=google.com&scopes=profile&redirectUrl=https%3A%2F%2Fwww.mydomain.com%2Flogin&v=5.0.4
Why does customizing the redirect domain for Google Sign-In prompt NET::ERR_CERT_COMMON_NAME_INVALID warning, and how should I do to avoid the warning message from prompting, e.g. adding Subject Alternative Names into the certificate, using auth.mydomain.com's own certificate?
By the way, in the above warning page, if Proceed to auth.mydomain.com (unsafe) is clicked, authentication will work as expected.
Because auth.mydomain.com points to my-app-12345.firebaseapp.com via CNAME record, host of firebaseapp.com should provision SSL certificate for auth.mydomain.com. It has to be done in Firebase Hosting page even if my-app-12345 is not using Firebase Hosting. Here is step-by-step method for doing that based on Firebase's documentation:
In Firebase project my-app-12345's console, click Hosting on the side menu.
When Set up hosting pop-up appears, click Continue. Then click Finish.
In Hosting page, click Connect domain.
When Connect domain pop-up appears, enter auth.mydomain.com. Then click 'Redirect auth.mydomain.com to an existing website' checkbox. Then enter my-app-12345.firebaseapp.com. Then click Continue.
When 'Add the TXT records below to your DNS provider to verify you own mydomain.com' pop-up appears, follow the instruction. And click Verify. (Verifying may take some minutes). Then click Finish.
Now auth.mydomain.com will be appeared in domain section with Pending status. It will soon be changed to Connected. And after some time, the NET::ERR_CERT_COMMON_NAME_INVALID warning issue will be gone.
P.S. With help of Firebase technical support team, I have got the answer to my own question.
just to clarify, as of Jan 6th 2020, the method above (using 'Redirect' within Firebase Hosting) doesn't work anymore.
Following something written in https://levelup.gitconnected.com/how-to-connect-a-domain-to-your-firebase-project-cd47373bad79 - we can see for Authentication, we need to use "Custom Domains" and not "Redirect"
This is because if redirection is used, the SSL signed between the exit and entry points of the custom domain and Google's authentication servers will fail the handshake.
In other words:
If you are setting it up for the first time:
In Firebase project my-app-12345's console, click Hosting on the side menu.
When Set up hosting pop-up appears, click Continue. Then click Finish.
In Hosting page, click Connect domain.
When Connect domain pop-up appears, enter auth.mydomain.com. Then do not tick 'Redirect auth.mydomain.com to an existing website' checkbox. Then enter my-app-12345.firebaseapp.com. Then click Continue.
If you've already setup a Redirect domain, and you cannot get it to work - you can simply edit the entry, and change to a "Custom" type.
Wait 10 ~ 30 minutes once that has changed to have this function properly.
I am trying to use the Telegram Login Widget.
I have inserted the following script in my login page:
<script async="" src="https://telegram.org/js/telegram-widget.js?4" data-telegram-login="<name of bot>" data-size="large" data-auth-url="http://local.<domain>/tg" data-radius="0" data-request-access="write"></script>
This works insofar that the Login Widget gets displayed.
When I click the "Login with Telegram" button, it correctly asks me to Accept/Decline if I want to login at this website. But then nothing further happens.
By investigating the network requests I found that the telegram servers respond thus:
{"error":"NOT_AUTHORIZED","html":"<button class=\"btn tgme_widget_login_button\" onclick=\"return TWidgetLogin.auth();\"><i class=\"tgme_widget_login_button_icon\"><\/i>Log in with Telegram<\/button>","origin":"http:\/\/local.<domain>"}
Is there anything I am missing that I should have done?
I did have a chat with the #BotFather to set the domain to http://local.<domain>.
When logging in, I also get a message from Telegram in the Client telling me:
You have successfully logged in on local.furry.cafe via #.
The website received your name, username and profile picture.
Things that could be problematic:
local.<domain> is part of my /etc/hosts, but this shouldn't be a problem right?
I don't use HTTPS on my dev machine? But this is not written as a requirement anywhere.
After several hours of more debugging I've found the reason:
You need to have third-party cookies set as allowed.
Since the request seems to be made from the asking window, it didn't have any authentication cookies attached, which in turn gave the NOT_AUTHORIZED response, while at the same time 'logging' you in, in the telegram client.
Since the server has no idea that the cookies was not set, it could not say anything.
TL;DR: Don't disable third party cookies if you want to use Telegram Login as a User.
I'll have to add a small text explanation so that if a user does have them disabled, it is shown to them.
On my website, the user can log in through Facebook.
I have also created a Facebook canvas app which consists of a small part of my website.
Through the Facebook canvas app, the user can access certain features of the site regarding their site account.
It works great when the user accesses the FB app while already being logged into the site.
However, if the user accesses the FB app while NOT being logged into my site - how do I log them into my site through the app?
It would be ideal if I could somehow automatically log them into their account when accessing my site through the FB app.
If that isn't possible, I would like the user to be able to log into my site through the Facebook app.
However right now when I redirect to the oauth login I get the following error:
Refused to display
'https://www.facebook.com/dialog/oauth?response_type=code&client_id=…nLpHx7N5X--Q'
in a frame because it set 'X-Frame-Options' to 'DENY'.
Summary:
Can I auto-login to my site when accessing the site through Facebook canvas
If not, how can the user log into my site through the canvas app?
So basically your problem was just how to call the FB login dialog from within canvas. If you use the URL redirect version, then you have to call it in the top window instance – the login dialog can not be shown in any kind of (i)frame, for security reasons¹
top.location.href=… in JavaScript, or target="_top" for a simple link can achieve that.
¹ User needs to be able to verify via address bar that they are entering their credentials on facebook.com, to prevent phishing attacks.