Closed fightforlife closed 4 years ago
i8beef
commented
4 years ago Did you step 5 here? The error looks like google is requesting a specific account scope ("name"?) Make sure the only two its requesting are the two listed in step 5 here maybe?
fightforlife
commented
4 years ago Yes I have added only the two scopes "api" and "offline_access":
But in the logs I can see that it is requesting additional scopes like "name" and "email": (I tried to edit sensible information)
[07:15:46 INF] Request starting HTTP/1.1 GET http://192.168.10.22:9035/connect/authorize?redirect_uri=https%3A%2F%2Foauth-redirect.googleusercontent.com%2Fr%2Fproject-5aab8&client_id=UAIVnTZ6FcJh7U20JSqk&response_type=code&state=AH8b_TPTueMm4I-DChedxhtPJO4YJbyvA_GE0iybMafiKaFjJHXXRg3qkwUn6iTbV5ifLsgTLLO4pHOQiWsgou-8W5LKQZTh0g8N2KNlWrNNAs7DvsN80Ca_fGGt43hdtOx7iDKPAb-vI1Nae90eMpjYYFPWrPzzeln3v5ozldHDAm-zA6ocU4ZRJBwY1oQnrRi8NX982ErB5xft2h3K3c5zBpsJPGYLKCIUbH5JeF7HcgQSWZ3yq4py5zuXPKYylz5hOlPBLXS8GyTTS_L5HaoXb-jC7Lz1iK0fMiVoCDR1zKTWcwH4Ap_39K6u-5sfP8nSzrJJaSj2WmSny3GkZBe0xu6BJL9G7uPJJBKvQ7RyDeL21Px2-mVxrDEKIwg7M5tqro14mNtGteCjQqK22e2PJ0Ylmfzb55zMoRbkG6buwS4MHy45hdcuKVnNKLFS-sM8g2NmMn8wARW7ysUCODD_XazTiG90CXpMw5CyNe7bz_iwQQbm-MNb9pMcTMkcTtdeB4YTC702w4_i-NhxvSb7guwfg6hzvzwQdL8PL5F592dmbposjbilrM0iqvAcSSQNL1uNDRbXWXvQ5mG97_goeo1g9jYBdedM9JUK1tALhd4ZYEPscDY&scope=email%20name%20api%20offline_access&user_locale=de-DE
[07:15:46 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[07:15:46 ERR] Invalid scope: name
[07:15:46 ERR] Request validation failed
[07:15:46 INF] {"ClientId": "UAIVnVN5FcJh7U20JSqk", "ClientName": "HomeBridge", "RedirectUri": "https://oauth-redirect.googleusercontent.com/r/project-5aab8", "AllowedRedirectUris": ["https://oauth-redirect.googleusercontent.com/r/project-5aab8"], "SubjectId": "anonymous", "ResponseType": "code", "ResponseMode": "query", "GrantType": "authorization_code", **"RequestedScopes": "email name api offline_access"**, "State": "AB8b_TPTmeMm4I-DChedxgtPJO4YJbyvA_GE0iybMafiJaFjJHXXRg3qkwUn6iTbV5ifLsgTPLO4pHOQiWsgou-8W5LKQZTh0g8N2KNlWrNBAs7DvsN80Ca_fGGt43hdtOx5iDKPAb-vI1Nae90eMpjYYFPWrPzzeln3v5ozldHDAm-zA6ocU4ZRJBwY1oQnrRi8NX982ErB5xft2h3K3c5zBpsJPGYLKCIUbH5JeF7HcgQSWZ3yq4py5zuXPKYylz5hOlPBLXS8GyTTS_L5HaoXb-jC7Lz1iK0fMiVoCDR1zKTWcwH4Ap_39K6u-5sfP8nSzrJJaSj2WmSny3GkZBe0xu6BJL9G7uPJJBKvQ7RyDeL21Px2-mVxrDEKIwg7M5tqro14mNtGteCjQqK22e2PJ0Ylmfzb55zMoRbkG6buwS4MHy45hdcuKVnNKLFS-sM8g2NmMn8wARW7ysUCODD_XazTiG90CXpMw5CyNe7bz_iwQQbm-MNb9pMcTMkcTtdeB4YTC702w4_i-NhxvSb7guwfg6hzvzwQdL8PL5F592dmbposjbilrM0iqvAcSSQNL1uNDRbXWXvQ5mG97_goeo1g9jYBdedM9JUK1tALhd4ZYEPscDY", "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"redirect_uri": "https://oauth-redirect.googleusercontent.com/r/project-5aab8", "client_id": "UAasdfVN5FcJh7U20JSqk", "response_type": "code", "state": "AB8b_TPTmeMm4I-DChedxgtPJO4YJbyvA_GE0iybMafiJaFjJHXXRg3qkwUn6iTbV5ifLsgTPLO4pHOQiWsgou-8W5LKQZTh0g8N2KNlWrNBAs7DvsN80Ca_fGGt43hdtOx5iDKPAb-vI1Nae90eMpjYYFPWrPzzeln3v5ozldHDAm-zA6ocU4ZRJBwY1oQnrRi8NX982ErB5xft2h3K3c5zBpsJPGYLKCIUbH5JeF7HcgQSWZ3yq4py5zuXPKYylz5hOlPBLXS8GyTTS_L5HaoXb-jC7Lz1iK0fMiVoCDR1zKTWcwH4Ap_39K6u-5sfP8nSzrJJaSj2WmSny3GkZBe0xu6BJL9G7uPJJBKvQ7RyDeL21Px2-mVxrDEKIwg7M5tqro14mNtGteCjQqK22e2PJ0Ylmfzb55zMoRbkG6buwS4MHy45hdcuKVnNKLFS-sM8g2NmMn8wARW7ysUCODD_XazTiG90CXpMw5CyNe7bz_iwQQbm-MNb9pMcTMkcTtdeB4YTC702w4_i-NhxvSb7guwfg6hzvzwQdL8PL5F592dmbposjbilrM0iqvAcSSQNL1uNDRbXWXvQ5mG97_goeo1g9jYBdedM9JUK1tALhd4ZYEPscDY", "scope": "email name api offline_access", "user_locale": "de-DE"}, "$type": "AuthorizeRequestValidationLog"}
[07:15:46 INF] Request finished in 4.3948ms 302
[07:15:46 INF] Request starting HTTP/1.1 GET http://192.168.10.22:9035/home/error?errorId=CfDJ8IbMF5JijKpFvRFeFt34ttMpACyauICl6cD1F1a5sxcAhYiqouIKQuKcJbmibe5GG0OZWeHRWjxVdD1Gd36eoG-DjY6ZmglVRMvPdWNA367ewer2twsK6AEO5eT97k8ogzLtdDz5rx1TIuevQ77DbXCiAdiNRZrleU9y3othdvxoU8Y3T4WbPlKxITELJJCXvqT9d8f-P56UxMqTn-YlVsHKWAsiBC_FsZWUyfWJxFDGF9XUHc83_hreEs5Poi7skV2qQW31Zqs_Kc9OK1QWTD_-1N6j1EBan2Ts-QXQgBIJ-XlbvKv3uGdqAlQgyiHtSsh_0elrt3e_Oa796f8T3XvKxHdZ27n1YCoDZ4wS2KyFknypw56R_jaY8aVddf1TobqAQ8JBAWvUbbqiMvyNRVSJa9O982f6La1NTAgeXEXr5EYEzjOeEY3oJHRL6cwpcEOBJ1n-1FYHuyxj0R3F05EgtfcrOnbpJ2SkUSYOwAJqsnlsKCfoebZpqYGIEXqhir6g8l1Z2PGs7eswV73n5j7mbFZ5zqII11yXzVu_HwV6bsqrN5wIhb871sONzplR7OTr_UCMOtlH9ucX04qIUVlTifVQlw4C1RDa4pp-jnJQZKT7i60fHav6zfwvwHXAfHiZ2LTI7tE6PXuTChO15eWrY8_I5R4Gr_7EkszQBVNaw8ly4VIcsUaCJjT465zA8b_OE5KJJPLGbT4GSYQ5bpxGakwbmgzql0LWQkI0fmojj7lYeayN6vTMhs9Xx815oblr0gM8xHuIloArF9fYr73A7mFRF8_kMHkJFyjEPlP3Di3u8zRoYhknUF_4Nrm_5SWpDrbLxu_L5ZrcJQmFGACc6UT8HgI4fywAd5mvtZ3kpOiggN1Nl2JyzY46BlK9lcSMdcwgT03x0-AvFhCtFtQMOnChv1iRqS3nTmPIwq_r6TRJR5F9I9bPi5evZtEvMb_RJBFDD-xfO6WeYFKSPvSoARooTCXLnfM4revYcoDd1-yOzuNKNHn6M3kl1eIoYIuDdDAjhUdHxS_tY-kxLbn2FRW2PXPAYWHlhwBArdyqhEV7w4xToK-QOMP6-69T-bCdp_8pACSZ2eEC3hH6P4aUBIOJ02v7lFxOEV6i7T4xsOyfZywgJl7FMMiwu9ej95Jsi69P9tQJT6KgAmbQydiYev7I76Oh2M6Ls2Xdz1RbbQ0vdRJv1vvxeSEn4-i1SMOPDhYf26jaHpcJVxt2rECx2LaTgIxpS1GPT11r2Jcxeu08DOkLJLG7ER5MGJn8a1q3V0MUiQjus5Xrm18kA8KaySB5jL6VbLFWqOMOQWUHN7SCk7LxGUsin2uf6nitkeyjQlWV4lt3eMThdec2auAupwgxbFKqK4
[07:15:46 INF] Route matched with {action = "Error", controller = "Home"}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Error(System.String) on controller IdentityServer4.Quickstart.UI.HomeController (HomeAutio.Mqtt.GoogleHome).
[07:15:46 INF] Executing action method IdentityServer4.Quickstart.UI.HomeController.Error (HomeAutio.Mqtt.GoogleHome) - Validation state: Valid
[07:15:46 INF] Executed action method IdentityServer4.Quickstart.UI.HomeController.Error (HomeAutio.Mqtt.GoogleHome), returned result Microsoft.AspNetCore.Mvc.ViewResult in 0.6531ms.
[07:15:46 INF] Executing ViewResult, running view Error.
[07:15:46 INF] Executed ViewResult - view Error executed in 6.5785ms.
[07:15:46 INF] Executed action IdentityServer4.Quickstart.UI.HomeController.Error (HomeAutio.Mqtt.GoogleHome) in 12.6476ms
[07:15:46 INF] Request finished in 14.657ms 200 text/html; charset=utf-8
[07:15:49 INF] Removing expired grantsAs far as I can tell, the scope "name" is not valid. "profile" should be used, right?
i8beef
commented
4 years ago Your first reply looks right. Where are you going for the second one with "Google Sing-In"? That's not part of the standard Actions Console that I'm aware of?
I can see in the originating request its requesting additional scopes name and email...
fightforlife
commented
4 years ago I checked on this website which scopes exists: https://developers.google.com/identity/protocols/googlescopes
So in the request I can see the following: , "RequestedScopes": "email name api offline_access",
api: this is fine, since it is configured in Actions console offline_access: is also fine. email: this is listed as a valid scope on the website above. (so maybe even though this isnt standard it could work) name: I cannot fin this in the scope list above. I am not sure where this comes from.
Maybe a guess I am using pomierum (https://github.com/pomerium/pomerium) as a reverse proxy with google oauth. I set HomeAutio as public accessible without any authentification. (policy: allow_public_unauthenticated_access: true) Maybe somehow this is interfering? But it wouldnt explain why the scope "name" does not exists.
Edit: In pomerium the scope "name" is not used. (not with google and not in standard config)
i8beef
commented
4 years ago "scopes" are just an added layer of security kind of like "roles" that the client can request from the identity provider. I.e., "I want to login as this client, with access to these 'scopes' or functions". IdentityServer4 (the embedded identity provider here) is fully configurable, but it's basically saying that you're requesting a scope it doesn't know about, so it can't make a security decision and is failing safe.
The problem is, Google shouldn't be sending that scope request at all unless you set those scopes in the Google Actions API. When you DO, Google should send ONLY those two scopes.
It really looks like something is messing with the request mid stream, and I'm guessing its that pomerium thing.
fightforlife
commented
4 years ago I got it working, thank you very much!
For anyone finding this: My problem was, that I was using the same google cloud/actions project for this bridge and the pomerium reverse proxy. Since pomerium needs a OAuth client id the scopes name and email are automically used.
After giving both applications their own google project it is working fine.
Hi there,
I just started using this bridge. I am coming from the NORA Node-Red Nodes and a selfhosted gbridge instance. But both were not able to provide all the devices that google supports.
I deployt the brdige in docker and configured it as described in the wiki, I can login over my https proxy and create devices.
But the Account-linking is not working:
Do I maybe have a configuration wrong?