Cannot login with Google due to invalid_request

[oanat]

Steps to reproduce:

• download XWiki 11.9
• install Google Apps 2.4.5 using a trial licence
• add client and secret from the Google account (setup already done for alias http://apps.xwiki.com:8080)
• add the 2 lines in xwiki.cfg: xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl xwiki.authentication.groovy.pagename=xwiki:GoogleApps.AuthService
• restart the wiki
• access the wiki with the alias http://apps.xwiki.com:8080
• click on "Login with Google"

Result:

• "Erreur 400 : invalid_request" (even when using incognito)

  

• on the server logs: 2020-04-21 17:28:32,441 [http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/Login??xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F] INFO nticationPersistenceStoreTools - retrieve cookie XWIKITRUSTEDAUTH GOOGLEAPPS: SCOPE config: drive avatar. GOOGLEAPPS: APPNAME: xwiki GOOGLEAPPS: CLIENTID: 923699394047-71naqbt7eudeh98ij49o4jlk0ife8n49.apps.googleusercontent.com GOOGLEAPPS: SCOPE: [https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/drive] GOOGLEAPPS: In authorize GOOGLEAPPS: No credentials found. Checking stored credentials for user XWiki.XWikiGuest GOOGLEAPPS: Getting credentials for user XWiki.XWikiGuest-1750148717 GOOGLEAPPS: Could not find stored credentials GOOGLEAPPS: No credentials retrieved. GOOGLEAPPS: Redirecting to authorization URL. 2020-04-21 17:28:32,659 [http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/Login??xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F] INFO nticationPersistenceStoreTools - retrieve cookie XWIKITRUSTEDAUTH GOOGLEAPPS: google authentication url : https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=auto&client_id=923699394047-71naqbt7eudeh98ij49o4jlk0ife8n49.apps.googleusercontent.com&redirect_uri=http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/OAuth&response_type=code&scope=https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/drive&state=1265582901 GOOGLEAPPS: Got credentials: null Expected Result: I get a popup to select the Google account for login

[polx]

Hello @oanat , I believe that http://apps.xwiki.com:8080 is not acceptable anymore as URL. They want https.

The error, however, shows something different: the approval_prompt is "invalid". Can it be that this api-key and secret pair is really old? I'd expect that this is, then, not working anymore. I'd suggest having a look at the Google console.

If not, please provide more details, possibly on chat.

[hugovk]

This looks like a change on the Google side, this is affecting many sites (eg. Vimeo, Datadog, notchvfx, Tynker, streamlabs, auxparty) and auth libraries:

• https://github.com/googleapis/google-api-php-client/issues/1821
• https://github.com/thephpleague/oauth2-client/issues/831
• https://github.com/thephpleague/oauth2-google/issues/87
• https://github.com/python-social-auth/social-app-django/issues/248
• https://github.com/MarkEdmondson1234/googleAuthR/issues/177
• https://github.com/hwi/HWIOAuthBundle/issues/1622
• https://github.com/knpuniversity/oauth2-client-bundle/issues/236
• https://github.com/Vestorly/torii/issues/453

Fix is to remove the approval_prompt=auto parameter, or replace it with prompt=, or approval_prompt=force

https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters

For example:

• https://www.drupal.org/project/social_auth_google/issues/3129494

[oanat]

@polx I have reset api-key and secret pair and the issue persists. @hugovk Thanks for the feedback!

[polx]

Hello Oana, I just tested right now, with my current dev version and it works with approval_prompt=auto. Note that this link is generated by the Google library, however we are working on upgrading it.

I suppose that the problem is the approval screens that are registered with your client: They are not valid anymore. As far as my experience goes, I believe that approval screens are where Google starts to complain that https is required and, e.g., cannot be localhost. Could you check the approval screens?

thanks

Paul

PS: Yet another example of difficult error reporting in API-management services... With some chances you also get an info in the console (not sure where).

[hugovk]

Looks like Google have now fixed it, but approval_prompt isn't in the docs so I believe it probably makes sense to change it. We're keeping the change in our library.

[polx]

@hugovk please provide more details on the tools you used and where it failed. The same setup (so, I assume the same URL params) was working yesterday too for me. As I said, I fear that this is related to account-specific parameters. The API has been around since looooong and such trends as "everything https" have come later impacting such info as that stored in the approval screens.

[hugovk]

I've been using a different library altogether (a Drupal module plus PHP library), so didn't have the problem with this project. But it did hit many others: https://github.com/xwikisas/application-googleapps/issues/46#issuecomment-617257525. Yesterday, it happened to most of our team and users, but not all.

[polx]

My guess is that this is bound to the API-surroundings and to the fact that they've validated already or not.

[oanat]

I tested on a local instance last week and the issue seems to have been resolved by an update of the API on the Google side.

[polx]

Seems like this issue can be closed. Please re-open if needed.