We use auth0 social connections for Login and SignUp purpose in our application. One of the social connections is google-oauth2. For certain gmail ids, we get the following error
For these login and signup request I am not able to see any logs under the Monitoring section in Auth0 Dashboard. One interesting thing here is, it doesn’t occur for all the personal gmail account, I tried Signing up with a different gmail account and it just works fine.
We also tried to troubleshoot it in Incognito mode and by removing the chrome extensions while trying to verify if it is related to browser, but didn’t have any success on that front as well. (Tried on Chrome and Brave)
Here is the terraform configuration on how the google oauth2 social connection is setup
I also tried setting different scopes openid, profile, email. But that did not help either. Please let me know how I can troubleshoot this and fix this issue.
I came upon some info on the google side - mainly before the app is verified, only users added as “test” users under the Google Could Dashboard can access the app and share their sensitive data (basically any user data within the openid scope is considered sensitive).
Can you verify if this is the case by setting the affected gmail address as a “test user”?
(Google Cloud dashboard → APIs and Services → 0Auth consent screen → Test Users → Add test user.)
looking at google docs, yes, the app will be available for users other tan testers once google approve the app:
To publish an app publicly to the Google Workspace Marketplace, Google reviews your app and its listing to make sure they meet Google’s design, content, and style guidelines.
We are experiencing the same issue. Our Google app is in a “Testing” state, it has been working well for a number of years, we’ve onboarded over 100 customers, however, today we started to see this issue. In our testing, it seems very sporadic. Many accounts register/login without issue, when others do not.
There doesn’t seem to be any outliers/patterns as to what would prevent some accounts and not others, eg, straight Gmail vs Workspace, etc.
only users added as “test” users under the Google Could Dashboard can access the app and share their sensitive data
The above although specified by Google, doesn’t seem to add up. As noted, we’ve onboard >100 uses without issue and haven’t set them up as “test” users.
We’re having this issue too! It just came out of nowhere! Considering the various people suddenly having this are you sure it’s not a setting that’s been changed in Auth0’s relationship with google?? It does say
auth0.com has not completed the Google verification process
Looking at those threads, there seem to be no common pattern for affected users. Today a user can log in but after a few more times, they may not. The only common denominator is that the Google Workspace app is not yet being verified by Google.
It looks to me like Google randomly chooses a user for verification while the login attempt happens. And with the world’s trends of being more and more security aware, I believe there could be new restrictions on the Google side.
Your apps are integrated with Auth0 purely for login / logout feature?
And users are allowed to use theirs Google account as one of the enabled connections, which results in processing and storing some of user’s google data in Auth0?
→ Google may not want to share their user’s profile data (user’s email address is already considered a sensitive data → reason ->it can be a phishing target as an example) to an unverified app.
I’m wondering if you have noticed some new traffic on your servers that time-overlaps with the issue?
I will also use assistance of our social connections engineers and will back to you once any additional info came my way!
Today, I had someone reporting the same issue. We already onboarded thousand of users, most of which used google social login to signup. Our OAuth 2.0 client in GCP is the “Testing” state, but so far it’s never been an issue. Any user with a gmail or google workspace account could authenticate just fine.
Now I’m very hesitant to publish the app and go through the verification process, as this things can be a nightmare (I had some bad experiences in the past with a Youtube app verification process) and I don’t want to risk having it blocked completely.
Right now it seems like the majority of users can signup with their google accounts just fine, I also tested it with a brand new account and saw no issues, but a client sent us that screenshot, and since Auth0 doesn’t log any of these attempts at all, we worry this might affect more users that we think of. I would really like to avoid going through the google verification process: it’s one thing if your app isn’t live yet, it’s another thing if you already have thousand of active users.
I’ll keep a close eye on this thread, to see if someone find a solution.
Just for the record we have also been running in test with no problem and suddenly someone has had this issue. Their email is not a Google Workspace email.
We are also experiencing this issue as well, and have not had an issue with this untill the new year. We have had Google Social Connection within our application since 2021 and have never had this issue.
As well we tried to reproduce with brand new google accounts and struggle to reproduce this scenario. However we have been getting a bunch of tickets from our users.
I’m looking further into that and this disclaimer in Google documentation sounds really relevant:
Upcoming Policy Enforcement Notice
Google is continuously re-evaluating the risk associated with user data access, and may upgrade the risk of certain data types and scopes to sensitive or restricted. When this happens, apps using such scopes may become unverified, but will be given a grace period to go through verification before the unverified app screen and user cap are applied to them. If your app is impacted, you will receive email notifications about the verification deadline. A warning message will be displayed on the consent screen in order to prepare your users for potential loss of functionality if your app is unverified and it is close to the deadline. If your app remains unverified, the unverified app screen will be displayed before the consent screen, and your app will be limited to 100 new users until it is verified.
On a different thread I noticed someone reporting about starting receiving a .well-known/xxxxxxx from Google IP addresses and following this lead I found Google mentioning security event check ups if a service is requesting permission to access user profile information or email addresses:
You only receive security event tokens for Google users who have granted your service permission to access their profile information or email addresses. You get this permission by requesting the profile or email scopes.
Hope this give you the needed context! Also, wondering if Google support has provided some additional information to you?
Thank you!
Started facing this issue as well. The functionality was working fine until a few days ago since we had reports come in for new users not being able to sign up.
Would appreciate if someone can find a fix here. Here’s the scope that we are using for signing up users: "scope": "openid profile email phone offline_access"
Would love some help from Auth0
Updated: We needed to go into GCP and under publish our version was “testing”. We need to click the publish button which changed the status to “in production” and our issue was resolved.
with a mix of personal and corporate (both inside and outside our organisation). And FYI, I’ve confirmed that it is a personal account that was getting bounced.
I don’t have paid support from google but I’ve raised a question on their support forums for google cloud to see if anyone can shed any light. I’ll cross-post any useful information here if I get any.
After much digging, we noticed if we removed the “logo” from our app within the Google API console, we could then move the app into “Production” mode without going through Googles verification process.
Given the consensus is that the app needs to be in “Production” mode to resolve this problem, we hope that this change will work. Still bizarre that it occurs in the first place after years of non-issues. I’ll update here if this issue persists for us.
We are hitting the same issue. What is the status on this from Auth0? Clearly it’s affecting many customers. We did not change anything and have been running this way for a while.
This is a matter of Google’s policy enforcement regarding applications that process sensitive user’s google account scopes by unverified apps you own and it’s true for users that are not assigned as a “tester user” for the app (doesn’t matter if we talk about a free google user account or a Google Workspace account and that worked for them before).
If we follow Google recommendations and mark a user as a “test user” for this unverified app (like for the app in a test or development mode), the authentication process run smoothly for them, and your integration with Auth0 works as expected.
Google is continuously re-evaluating the risk associated with user data access, and may upgrade the risk of certain data types and scopes to sensitive or restricted. When this happens, apps using such scopes may become unverified, but will be given a grace period to go through verification before the unverified app screen and user cap are applied to them. If your app is impacted, you will receive email notifications about the verification deadline. A warning message will be displayed on the consent screen in order to prepare your users for potential loss of functionality if your app is unverified and it is close to the deadline. If your app remains unverified, the unverified app screen will be displayed before the consent screen, and your app will be limited to 100 new users until it is verified.
Thank you all for sharing workarounds for it here, like removing logo app, to keep your apps available to public. Hope this can give you some time to manage the process!
We are seeing the same issue, however our application is in Production Mode (not testing). It seems to me that Auth0 needs to verify with Google, there’s nothing we can do at the moment. Especially, taking into account that we have already underwent the verification process.
My app is Google verified and in production. I found this error a few weeks back with a user, but thought maybe it was an issue with his Google Workspace. I just had another customer reach out where some of their users were able to get into my app, but others are getting this auth0 is an unverified app which prevents them from logging into my app with Google.
Since I am in compliance with Google’s enforcement notice, can we perhaps do a little more digging into why this is happening?