Closed oanat closed 4 years ago
Hello @oanat , I believe that http://apps.xwiki.com:8080 is not acceptable anymore as URL. They want https.
The error, however, shows something different: the approval_prompt is "invalid". Can it be that this api-key and secret pair is really old? I'd expect that this is, then, not working anymore. I'd suggest having a look at the Google console.
If not, please provide more details, possibly on chat.
This looks like a change on the Google side, this is affecting many sites (eg. Vimeo, Datadog, notchvfx, Tynker, streamlabs, auxparty) and auth libraries:
Fix is to remove the approval_prompt=auto
parameter, or replace it with prompt=
, or approval_prompt=force
https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
For example:
@polx I have reset api-key and secret pair and the issue persists. @hugovk Thanks for the feedback!
Hello Oana,
I just tested right now, with my current dev version and it works with approval_prompt=auto
. Note that this link is generated by the Google library, however we are working on upgrading it.
I suppose that the problem is the approval screens that are registered with your client: They are not valid anymore. As far as my experience goes, I believe that approval screens are where Google starts to complain that https
is required and, e.g., cannot be localhost
. Could you check the approval screens?
thanks
Paul
PS: Yet another example of difficult error reporting in API-management services... With some chances you also get an info in the console (not sure where).
Looks like Google have now fixed it, but approval_prompt
isn't in the docs so I believe it probably makes sense to change it. We're keeping the change in our library.
@hugovk please provide more details on the tools you used and where it failed. The same setup (so, I assume the same URL params) was working yesterday too for me. As I said, I fear that this is related to account-specific parameters. The API has been around since looooong and such trends as "everything https" have come later impacting such info as that stored in the approval screens.
I've been using a different library altogether (a Drupal module plus PHP library), so didn't have the problem with this project. But it did hit many others: https://github.com/xwikisas/application-googleapps/issues/46#issuecomment-617257525. Yesterday, it happened to most of our team and users, but not all.
My guess is that this is bound to the API-surroundings and to the fact that they've validated already or not.
I tested on a local instance last week and the issue seems to have been resolved by an update of the API on the Google side.
Seems like this issue can be closed. Please re-open if needed.
Steps to reproduce:
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl xwiki.authentication.groovy.pagename=xwiki:GoogleApps.AuthService
Result:
"Erreur 400 : invalid_request" (even when using incognito)
on the server logs:
2020-04-21 17:28:32,441 [http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/Login??xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F] INFO nticationPersistenceStoreTools - retrieve cookie XWIKITRUSTEDAUTH GOOGLEAPPS: SCOPE config: drive avatar. GOOGLEAPPS: APPNAME: xwiki GOOGLEAPPS: CLIENTID: 923699394047-71naqbt7eudeh98ij49o4jlk0ife8n49.apps.googleusercontent.com GOOGLEAPPS: SCOPE: [https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/drive] GOOGLEAPPS: In authorize GOOGLEAPPS: No credentials found. Checking stored credentials for user XWiki.XWikiGuest GOOGLEAPPS: Getting credentials for user XWiki.XWikiGuest-1750148717 GOOGLEAPPS: Could not find stored credentials GOOGLEAPPS: No credentials retrieved. GOOGLEAPPS: Redirecting to authorization URL. 2020-04-21 17:28:32,659 [http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/Login??xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F] INFO nticationPersistenceStoreTools - retrieve cookie XWIKITRUSTEDAUTH GOOGLEAPPS: google authentication url : https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=auto&client_id=923699394047-71naqbt7eudeh98ij49o4jlk0ife8n49.apps.googleusercontent.com&redirect_uri=http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/OAuth&response_type=code&scope=https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/drive&state=1265582901 GOOGLEAPPS: Got credentials: null
Expected Result: I get a popup to select the Google account for login