Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GoogleOauth2: "Invalid credentials". #44

Open
brylie opened this issue Nov 12, 2014 · 9 comments
Open

GoogleOauth2: "Invalid credentials". #44

brylie opened this issue Nov 12, 2014 · 9 comments

Comments

@brylie
Copy link
Contributor

brylie commented Nov 12, 2014

When configuring the Google settings for API Umbrella, I get the following error:

Could not authenticate you from GoogleOauth2 because "Invalid credentials".

The user email address is in the initial_superusers list, and the Google settings for client_id and client_secret seem correct.

On the Google configuration end of things, what should I put for:

  • Redirect URIs
  • Javascript Origins

I currently have:

  • Redirect URIs : <domain.com>/admins/auth/google_oauth2/callback
  • Javascript Origins: <domain.com>
@GUI
Copy link
Member

GUI commented Nov 12, 2014

Those redirect URIs and origins look exactly like what we have working. But just to double check, do you have those URLs prefixed with https:// (or http:// depending on your setup)? We do have the full URLs listed, including the https:// prefix.

And then in your /etc/api-umbrella/api-umbrella.yml config file, does your setup look something like this?

web:
  admin:
    auth_strategies:
      google:
        client_id: XXXXXX.apps.googleusercontent.com
        client_secret: XXXXXXX

@brylie
Copy link
Contributor Author

brylie commented Nov 12, 2014

Alright, great. I will double check.

Can anyone please help update/verify the following wiki documentation?
https://github.com/NREL/api-umbrella/wiki/Authentication-Strategies

@brylie
Copy link
Contributor Author

brylie commented Nov 12, 2014

Hm, our settings seem correct, as outlined above. The redirect takes us back to our website, but the message still indicates invalid credentials.

@brylie
Copy link
Contributor Author

brylie commented Nov 12, 2014

API Umbrella seems to prefer HTTPS by default, and we have not purchased an SSL certificate. Could it be related to us not having a validated SSL certificate?

@GUI
Copy link
Member

GUI commented Nov 18, 2014

Sorry again for the delay. I ran through this setup process on a machine from scratch and updated the auth strategies documentation (thanks again for getting that started). However, I think the instructions mostly match what you had discovered, so I'm a little puzzled why this isn't working for you. Mine also worked with my local machine having a self-signed SSL certificate, so I don't think the SSL stuff should make a difference.

Just to verify, your form and confirmation looked like these?

screen shot 2014-11-17 at 10 43 17 pm

screen shot 2014-11-17 at 10 44 02 pm

And then your /etc/api-umbrella/api-umbrella.yml ended up looking something like?

web:
  admin:
    initial_superusers:
      - your-email@whatever.com
    auth_strategies:
      github:
        client_id: YOUR_ID
        client_secret: YOUR_SECRET
      google:
        client_id: YOUR_ID.apps.googleusercontent.com
        client_secret: YOUR_SECRET

Assuming that all looks correct, is there anything in the /var/log/api-umbrella/supervisor/web-puma.log log file if you tail that while logging in via Google?

@brylie
Copy link
Contributor Author

brylie commented Nov 18, 2014

I have double and triple checked the settings, and even re-created the Client ID. I have tried with and without trailing slashes.

Could this be related to HTTPS (i.e. we do not have an HTTPS certificate for the domain)?

@GUI
Copy link
Member

GUI commented Nov 18, 2014

D'oh! I think I just realized what the issue is. The omniauth-google-oauth2 strategy recently made some changes that require you enable the "Contacts API" and "Google+ API" services in the API console:

Note: You must enable the "Contacts API" and "Google+ API" via the Google API console. Otherwise, you will receive an OAuth2::Error stating that access is not configured when you attempt to authenticate.

I totally forgot that this recently bit us too after we upgraded omniauth-google-oauth2 (but since you only have to do this once, I had forgotten). Very sorry for not realizing this sooner, but hopefully this explains things and makes things work for you (finally!). I've updated our own documentation, but let me know if that does the trick or not.

@GUI
Copy link
Member

GUI commented Dec 4, 2014

@brylie Just curious and wanted to follow up: Did you have a chance to see if my last comment about enabling the "Contacts API" and "Google+ API" in the Google API console fixed things for you?

@alexsorokoletov
Copy link

alexsorokoletov commented Sep 15, 2018

I get similar error with all APIs mentioned enabled.
I can see requests going to Google+ API and all of them fail with 403.

Same client ID and secret are working with another oauth2 app.
I removed username_is_email: true from the config and it worked. Not sure why this part was in the config, maybe just came from the documentation example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants