Cannot login with Google due to invalid_request
Closed this issue · 10 comments
Steps to reproduce:
- download XWiki 11.9
- install Google Apps 2.4.5 using a trial licence
- add client and secret from the Google account (setup already done for alias http://apps.xwiki.com:8080)
- add the 2 lines in xwiki.cfg:
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl xwiki.authentication.groovy.pagename=xwiki:GoogleApps.AuthService - restart the wiki
- access the wiki with the alias http://apps.xwiki.com:8080
- click on "Login with Google"
Result:
- "Erreur 400 : invalid_request" (even when using incognito)
- on the server logs:
2020-04-21 17:28:32,441 [http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/Login??xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F] INFO nticationPersistenceStoreTools - retrieve cookie XWIKITRUSTEDAUTH GOOGLEAPPS: SCOPE config: drive avatar. GOOGLEAPPS: APPNAME: xwiki GOOGLEAPPS: CLIENTID: 923699394047-71naqbt7eudeh98ij49o4jlk0ife8n49.apps.googleusercontent.com GOOGLEAPPS: SCOPE: [https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/drive] GOOGLEAPPS: In authorize GOOGLEAPPS: No credentials found. Checking stored credentials for user XWiki.XWikiGuest GOOGLEAPPS: Getting credentials for user XWiki.XWikiGuest-1750148717 GOOGLEAPPS: Could not find stored credentials GOOGLEAPPS: No credentials retrieved. GOOGLEAPPS: Redirecting to authorization URL. 2020-04-21 17:28:32,659 [http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/Login??xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F] INFO nticationPersistenceStoreTools - retrieve cookie XWIKITRUSTEDAUTH GOOGLEAPPS: google authentication url : https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=auto&client_id=923699394047-71naqbt7eudeh98ij49o4jlk0ife8n49.apps.googleusercontent.com&redirect_uri=http://apps.xwiki.com:8080/xwiki/bin/view/GoogleApps/OAuth&response_type=code&scope=https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/drive&state=1265582901 GOOGLEAPPS: Got credentials: null
Expected Result: I get a popup to select the Google account for login
Hello @oanat , I believe that http://apps.xwiki.com:8080 is not acceptable anymore as URL. They want https.
The error, however, shows something different: the approval_prompt is "invalid". Can it be that this api-key and secret pair is really old? I'd expect that this is, then, not working anymore. I'd suggest having a look at the Google console.
If not, please provide more details, possibly on chat.
This looks like a change on the Google side, this is affecting many sites
(eg. Vimeo, Datadog, notchvfx, Tynker, streamlabs, auxparty) and auth libraries:
- googleapis/google-api-php-client#1821
- thephpleague/oauth2-client#831
- thephpleague/oauth2-google#87
- python-social-auth/social-app-django#248
- MarkEdmondson1234/googleAuthR#177
- hwi/HWIOAuthBundle#1622
- knpuniversity/oauth2-client-bundle#236
- https://github.com/Vestorly/torii/issues/453
Fix is to remove the approval_prompt=auto parameter, or replace it with prompt=, or approval_prompt=force
https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
For example:
Hello Oana,
I just tested right now, with my current dev version and it works with approval_prompt=auto. Note that this link is generated by the Google library, however we are working on upgrading it.
I suppose that the problem is the approval screens that are registered with your client: They are not valid anymore. As far as my experience goes, I believe that approval screens are where Google starts to complain that https is required and, e.g., cannot be localhost. Could you check the approval screens?
thanks
Paul
PS: Yet another example of difficult error reporting in API-management services... With some chances you also get an info in the console (not sure where).
Looks like Google have now fixed it, but approval_prompt isn't in the docs so I believe it probably makes sense to change it. We're keeping the change in our library.
@hugovk please provide more details on the tools you used and where it failed.
The same setup (so, I assume the same URL params) was working yesterday too for me.
As I said, I fear that this is related to account-specific parameters. The API has been around since looooong and such trends as "everything https" have come later impacting such info as that stored in the approval screens.
I've been using a different library altogether (a Drupal module plus PHP library), so didn't have the problem with this project. But it did hit many others: #46 (comment). Yesterday, it happened to most of our team and users, but not all.
My guess is that this is bound to the API-surroundings and to the fact that they've validated already or not.
I tested on a local instance last week and the issue seems to have been resolved by an update of the API on the Google side.
Seems like this issue can be closed. Please re-open if needed.