Unknown Google OAuth Error

jacque006 · December 8, 2018, 10:27pm

After setting up a non-test OAuth client through google and populating my credentials, I am getting this error when doing my test login from the social connection page:

{
“date”: “2018-12-08T22:16:14.075Z”,
“type”: “f”,
“description”: “Unauthorized”,
“connection”: “MY_GOOGLE_CONNECTION”,
“connection_id”: “REDACTED”,
“client_id”: “MY_CLIENT_ID”,
“client_name”: “MY_PROJECT”,
“ip”: “REDACTED”,
“user_agent”: “Chrome Mobile 70.0.3538 / Android 0.0.0”,
“details”: {
“body”: {},
“qs”: {
“state”: “g6Fo2SBZZjhXX1pDbFV2dXl3YUpSMDZxbzFZbnVPZW15MUpwQaN0aWTZMmdhRm8yU0JZYUdGbU9EbFNaMjVYTWtreFh6RmZkbGRTZDNaWlVqWlJlV1puV21aNVRBo2NpZNkgUjVXaVBIOG9hbnI0ZlMyQmtBYUtOVUhmYVFaRFM3M0g”,
“code”: “4/rgDmhzjHI1-P9n8T172NJlVCjOUs1lcjPXU0htIWlsUmuXDJQGQZGSZI_9EauIU_RIj0lXJKHICjNBIlKj6lTNc”,
“scope”: “email profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile”
},
“connection”: “google-oauth2”,
“error”: {
“message”: “Unauthorized”,
“oauthError”: “invalid_request”,
“type”: “request-error”
}
},
“hostname”: “MY_AUTH0_DOMAIN”,
“strategy”: “MY_GOOGLE_CONNECTION”,
“strategy_type”: “social”,
“log_id”: “90020181208221614076443861480495898728224457775201950978”,
“isMobile”: true
}

Of note, I submitted my consent screen for verification but it is still pending. It says it should still work on it’s base settings.

What steps should I take next to further triage/resolve this issue?

charsleysa · December 8, 2018, 11:42pm

Hi @jacque006

I noticed the scope parameter has scopes for google, is this something you’ve added in?

If so, I believe this is the incorrect way to add scopes for the upstream IDP (in this case google).

There is a separate parameter called connection_scope in which you can pass scopes to the upstream IDP (docs).

Hope this helps!

jacque006 · December 12, 2018, 11:49pm

@charsleysa Thanks for the pointer, but that doesn’t appear to be the issue. I’ve attached screenshots from my Auth0 Google social connection settings page and the corresponding Google Credentials page (with some information obscured):

I did originally add some additional scopes but removed them after realizing I wouldn’t need them.

DASPRiD · January 5, 2019, 8:35pm

I’m having the exact same problem. Everything is configured as written here:

https://auth0.com/docs/connections/social/google

DASPRiD · January 5, 2019, 8:43pm

The scopes being send to google are the same as in the first post:

      "scope": "email profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"

I assume that either the first two shouldn’t be in there or the last two, but I’m not sure. I guess this is a problem on Auth0’s side?

jacque006 · January 7, 2019, 4:52am

Any update on this issue given the new activity?

charsleysa · January 7, 2019, 11:42am

Hi @jacque006 and @DASPRiD

Sorry for the late response, work commitments and public holidays got in the way

From what I can see, all the configuration and steps looks correct.

If you are able to provide the following it would very much help in diagnosing the issue (either by posting here or by DM, with sensitive information obfuscated):

code snippets of where you perform the API call to Auth0 to begin the authentication process (largely looking for any possible misconfigurations)
.HAR files of the authentication attempt resulting in the error

DASPRiD · January 7, 2019, 5:59pm

I’ll look into generating an HAR file later. As for the API calls, nothing special to do there: Simply hit the “try” button on the social connections manage page (with API details from Google), which then should fail after the consent.

charsleysa · January 10, 2019, 2:08am

Hi @DASPRiD

If the try button doesn’t work then there is definitely an issue with your configuration somewhere.

Can you please confirm that you have correctly setup the OAuth credentials in the Google Credentials dashboard? (your previous screenshots didn’t include this)

For reference, here is a screenshot of our staging setup:

DASPRiD · January 10, 2019, 10:27am

Sure, here it is:
https://s.dasprids.de/XDcdvw

And here is the relevant config from the consent screen:
https://s.dasprids.de/XDceBQ

charsleysa · January 11, 2019, 12:51pm

Hi @DASPRiD

That config looks fine.

Can you please double check that the client ID and client secret you have entered into auth0 match what is displayed in the Google dashboard?

Also, if you have any custom rules can you please try disabling all of them just to rule them out.

DASPRiD · January 11, 2019, 2:58pm

Okay, I tracked down the error, which is… well:

When copying the client secret, a leading space slipped into the clipboard.

May I recommend that you trim user input to avoid such mistakes?

jacque006 · February 1, 2019, 3:01am

@DASPRiD Excellent find, solved my issue.

konrad.sopala · February 1, 2019, 8:52am

Thanks a lot @DASPRiD for finding that out and sharing with the rest of community! Glad you made it work!

system · March 3, 2019, 8:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.