Google OAuth 2.0: Age restrictions - google-oauth

When underage user (< 13 years old) tries to log in using "Continue with Google" button, they are correctly presented with "Can't access this service" error, because our website has an age restriction.
But when they use Google OAuth 2 prompt opened by
const client = google.accounts.oauth2.initCodeClient(...)
client.requestCode()
they see a parental consent window instead.
How do we set up our Google OAuth 2 prompt to have the same "Can't access this service" error for underage users?

Related

"Send With DocuSign" URL Button Works In Sandbox But Not Production

An APEX email error is received when trying to utilize the "Send With DocuSign" URL button on the contract object in Salesforce. This button was just created to meet the requirements to move from a JavaScript button. The button does not trigger an error in Sandbox, works as expected. But I can not replicate in production without getting the error shown below. Any idea on how to get this resolved?
Developer script exception from Franklin Madison Group : DocuSignAPICredentials : Please verify that you have been granted access to DocuSign, your account settings are correct and that you have responded to all activation emails.
Apex script unhandled exception by user/organization: 0053n000007GFbq/00D70000000Je65
Visualforce Page: /apex/dsfs__docusign_editenvelope
caused by: dsfs.UnauthorizedException: Please verify that you have been granted access to DocuSign, your account settings are correct and that you have responded to all activation emails.
Class.dsfs.DocuSignAPICredentials.getInstance: line 71, column 1
Class.dsfs.DocuSignAPICredentials.getInstance: line 56, column 1
Class.dsfs.AccountFeatures.getInstance: line 139, column 1
Class.dsfs.EnvelopeController.loadEnvelope: line 164, column 1
Cause
Common causes for the issue are listed below,
The DocuSign user associated with the Salesforce user sending the envelope is not active
The Salesforce user has not been added to the DocuSign users list in DocuSign Setup settings (in Salesforce)
You are attempting to use Salesforce Login Access on behalf of a user "not yet Authorized DocuSign eSignature for Salesforce (DAL)"
Note: If the user hasn't authorized already, please refer to Step 4 in this article
Solution
Before continuing, ensure that you are on the most recent version of DocuSign eSignature for Salesforce (DAL). If you are on an outdated version, some of these steps will be unavailable.
To resolve this error, you’ll need to verify both issues that cause this error has been addressed.
First, you’ll need to verify that this Salesforce user has been added to DocuSign.
To verify if a Salesforce user has been added properly:
Navigate to DocuSign Setup.
Select User Management, then select Add User.
Enter the name of the user in the Value box. When they appear in the search results, select the checkbox next to their name and select Continue.
Assign the appropriate permissions to the user and select Apply. If your package is up to date and a DocuSign user already exists for this user, the Salesforce user will be mapped to their existing DocuSign user.
Click Done to finish.
Second, verify that the DocuSign user associated with this Salesforce account is active.
To check if a user is active in DocuSign:
Navigate to the DocuSign web app and select Settings.
Navigate to Users and search for the user in question.
If the user is not active, select Actions > Resend Invitation to send the invite to the user again.
To activate a user:
The User will need to navigate to their email client and open the invitation email.
Click the link in the email to activate.
Create a password and security question.
Once the user is active, have the user attempt to send an envelope from Salesforce to confirm the issue is resolved.
Additional Troubleshooting
If the DAL Admin and all users are noticing the same error, try to disconnect and reconnect.
Steps to Disconnect [Note: Disconnecting accounts will remove the DocuSign Gen and DocuSign Negotiate permissions for the Salesforce users that were given access under the old connection. You have to re-add DocuSign users and permissions in your organization.]
Steps to Reconnect
If the Salesforce Administrator attempting to make this change is unable to access the DocuSign Setup object, ensure that they have the correct permission set assignment to access the object.
To view permission set assignments in Salesforce:
Navigate to Setup, select Users.
Navigate to the user in question and open their profile.
Navigate to Permission Set Assignments, if the DocuSign permissions are missing, edit the section and add DocuSign Administrator.
Note: If you are running both DocuSign Apps Launcher and legacy DocuSign eSignature for Salesforce, you will see duplicate permission sets with similar names. Add both to ensure correct permissions are applied to the user.
Retest to see if the user can access DocuSign Setup. If it’s still failing, follow the steps in this article to navigate to the DocuSign Troubleshooting page and select Delete DocuSign Credentials. You should then be able to navigate to DocuSign Setup and reestablish the connection between DocuSign and Salesforce.

How to authenticate user with just a Google account on Actions on Google?

Currently Google Assitant includes an easy way to request non-identifiable information about the user and a detailed flow to authenticate the user on a third party service through OAuth2. What about if all I need is have the user authenticate on Google itself? I tried filling in the account linking flow using Google OAuth2 information, but that seems not to work. If that last thing is supposed to work fluently than that would be enough of an answer.
Context: Users already authenticate only with Google on a related webpage. All I need is to link this already authenticated account with the less-authenticated account on Google Assistant.
Update, 25 Oct 2018:
As of 13 September 2018, there is now a much simpler way to access the user's account if your project uses Google Sign-In. Google Sign-In for Assistant will give you an ID Token with information about the user, including their Google ID, with their permission. This permission can be granted just using voice and is fairly streamlined.
You can combine this with a web- or app-based Google Sign-In to get their permission to access OAuth scopes if you need to access Google's APIs.
Update, 25 Oct 2017:
As of around 4 Oct or 7 Oct, Google has updated their policy (again) to restore language restricting OAuth endpoints that are valid. The terms now include
When implementing account linking using OAuth, you must own your OAuth endpoint
and it appears (from the comments below) that they now check for the Google endpoints to prevent this method from working.
At this point, the only thing you can do is setup your own OAuth2 server.
Original Post:
Broadly speaking, the auth tasks you need to do are in four parts:
Configure your project (in the cloud console) so that the Calendar API is enabled and that the OAuth2 client is correctly configured.
Configure the Action for account linking in the action console.
Configure the Actions on Google Integration for your API.AI Agent to indicate that sign-in is required.
When API.AI calls your webhook to fulfill an Intent, it will include an auth token as part of the JSON. You can use this token to make calls to the Google APIs you need.
Configure Cloud Project
You need to configure your cloud project so that it has access to the Google APIs you need and setup the OAuth2 Client ID, Secret, and Redirect URI.
Go to https://console.cloud.google.com/apis/dashboard and make sure you have the project you're working with selected. Then make sure you have the APIs you need enabled.
Select the "Credentials" menu on the left. You should see something like this:
Select "Create credentials" and then "OAuth client ID"
Select that this is for a "Web application" (it is... kinda...)
Enter a name. In the screen shot below, I used "Action client" so I remember that this is actually for Actions on Google.
In the "Authorized Redirect URIs" section, you need to include a URI of the form https://oauth-redirect.googleusercontent.com/r/your-project-id replacing the "your-project-id" part with... your project ID in the Cloud Console. At this point, the screen should look something like this:
Click the "Create" button and you'll get a screen with your Client ID and Secret. You can get a copy of these now, but you can also get them later.
Click on "Ok" and you'll be taken back to the "Credentials" screen with the new Client ID added. You can click the pencil icon if you ever need to get the ID and Secret again (or reset the secret if it has been compromised).
Configure the Action Console
Once we have OAuth setup for the project, we need to tell Actions that this is what we'll be using to authenticate and authorize the user.
Go to https://console.actions.google.com/ and select the project you'll be working with.
In the Overview, make your way through any configuration necessary until you can get to Step 4, "Account Linking". This may require you to set names and icons - you can go back later if needed to correct these.
Select the Grant Type of "Authorization Code" and click Next.
In the Client Information section, enter the Client ID and Client Secret from when you created the credentials in the Cloud Console. (If you forget, go to the Cloud Console API Credentials section and click on the pencil.)
For the Authorization URL, enter https://accounts.google.com/o/oauth2/v2/auth
For the Token URL, enter https://www.googleapis.com/oauth2/v4/token
Click Next
You now configure your client for the scopes that you're requesting. Unlike most other places you enter scopes - you need to have one per line. Then click Next.
You need to enter testing instructions. Before you submit your Action, these instructions should contain a test account and password that the review team can use to evaluate it. But you can just put something there while you're testing and then hit the Save button.
Configure API.AI
Over in API.AI, you need to indicate that the user needs to sign-in to use the Action.
Go to https://console.api.ai/ and select the project you're working with.
Select "Integrations" and then "Actions on Google". Turn it on if you haven't already.
Click the "Sign in required for welcome intent" checkbox.
Handle things in your webhook
After all that setup, handling things in your webhook is fairly straightforward! You can get an OAuth Access Token in one of two ways:
If you're using the JavaScript library, calling app.getUser().authToken
If you're looking at the JSON body, it is in originalRequest.data.user.accessToken
You'll use this Access Token to make calls against Google's API endpoints using methods defined elsewhere.
You don't need a Refresh Token - the Assistant should hand you a valid Access Token unless the user has revoked access.
After contacting Google the current situation seems to be that you should set up your own OAuth2 server, and then on the login screen of your OAuth2 server you should start the Google OAuth2 flow.
you have to have your own endpoint with Google Oauth2 - it is correct that you can't use Google Oauth itself as a provider. To use the Google OAuth service, you can use a "sign in with Google" button in your own endpoint instead.
Source: Contacting Google Actions on Google Support
Kind of speechless right now... as this seems to be a huge oversight on Google's part.
I am able to make it work after a long time.
We have to enable the webhook first and we can see how to enable the webhook in the dialog flow fulfillment docs
If we are going to use Google Assistant, then we have to enable the Google Assistant Integration in the integrations first.
Then follow the steps mentioned below for the Account Linking in actions on google:-
Go to google cloud console -> APIsand Services -> Credentials -> OAuth 2.0 client IDs -> Web client -> Note the client ID, client secret from there
-> Download JSON - from json note down the project id, auth_uri, token_uri
-> Authorised Redirect URIs -> White list our app's URL -> in this URL fixed part is https://oauth-redirect.googleusercontent.com/r/ and append the project id in the URL
-> Save the changes
Actions on Google -> Account linking setup
1. Grant type = Authorisation code
2. Client info
1. Fill up client id,client secrtet, auth_uri, token_uri
2. Enter the auth uri as https://www.googleapis.com/auth and token_uri as https://www.googleapis.com/token
3. Save and run
4. It will show an error while running on the google assistant, but dont worry
5. Come back to the account linking section in the assistant settings and enter auth_uri as https://accounts.google.com/o/oauth2/auth
and token_uri as https://accounts.google.com/o/oauth2/token
6. Put the scopes as https://www.googleapis.com/auth/userinfo.profile and https://www.googleapis.com/auth/userinfo.email
and weare good to go.
7. Save the changes.
In the hosting server logs, we can see the access token value and through access token, we can get the details regarding the email address.
Append the access token to this link "https://www.googleapis.com/oauth2/v1/userinfo?access_token=" and we can get the required details in the resulting json page.
accessToken = req.get("originalRequest").get("data").get("user").get("accessToken")
r = requests.get(link)
print("Email Id= " + r.json()["email"])
print("Name= " + r.json()["name"])
You need to implement the Oauth protocol with whatever Google Assistant app you are developing. Let me be a bit more clear:
The user is on the assistant, you need to link him to any data
you have on your App side
The access to the data you have about
your user is protected by an access token
Google then needs to
ask you for this token to have access to this resource
When
google has the token it can send it to the app so it validates every
requests to get the resource.
This is why you need to implement your own oauth server (Honestly it is just two more endpoints in your application): the identity is checked on google's side, but the link between the user and the resource to access can only be known by you.
The process above is valid, you just need to specify your own token endpoint and your own auth endpoint.
Note that if you only want to check that the user is logged in into google and get his email, you just need to implement the streamlined identity flow that does not require the /auth endpoint (Automatically Sign Up Users with Streamlined Identity Flows)
That beeing said I implemented the flow but get the same error :
expected_inputs[0].possible_intents[0]: Transactions/Identity API must be enabled before using.

What password will I ask if auth/account-exists-with-different-credential is thrown

Here is my scenario, if user sign in with google provider first in my web application following after sometimes the same user may try to login in using facebook provider, now if the user's facebook provider email id matches with the previous google provider mail id in firebase, it will throw error like "account-exists-with-different-credential" in this case firebase will give us the facebook provider email id and instructed us to get the "Asks the user his password." what password will I ask them, if user have to enter the Gmail password will user enter their Gmail password in third party's site
In your case, you will also get an email and credential object(facebook credential) in the auth/account-exists-with-different-credential error thrown (error.credential and error.email). You then can call
auth.fetchProvidersForEmail(error.email)
to get the list of existing providers that correspond to that email. In this case you will get an array ['google.com']. Using one of these providers, you sign in the user to that provider.
auth.signInWithPopup(new firebase.auth.GoogleAuthProvider());
You can also set login-hint: error.email as a custom OAuth parameter on the google provider.
After that user is signed in. You then link the previous facebook credential to that user:
currentUser.link(error.credential);
You will now have that facebook account linked to the existing google account. The next time the user tries to login via facebook, the error won't be thrown again.

Firebase Google OAuth redirect error

I'm migrating from Firebase 2 and AngularFire 1 to Firebase 3 and AngularFire 2. With Firebase 2 and AngularFire 1 I had all six auth options working: Google, Facebook, Twitter, Github, e-mail & password, and anonymously. Now with Firebase 3 and AngularFire 2 five auth options are working but Google OAuth refuses to work. I'm using $scope.authObj.$signInWithPopup("google"). The pop-up pops up but then there's an error message:
The redirect URI in the request, https://crudiest-firebase.firebaseapp.com/__/auth/handler, does not match the ones authorized for the OAuth client.
In my Google Developers Console I have the authorized redirect URI set to https://crudiest-firebase.firebaseapp.com/__/auth/handler. This is the URI that works for Facebook, Twitter, and GitHub, and it's the same URI that's in the error message.
This error message has persisted for several days.
Just to make it easy to compare:
https://crudiest-firebase.firebaseapp.com/__/auth/handler // rejected redirect URI
https://crudiest-firebase.firebaseapp.com/__/auth/handler // redirect URI in console
Any suggestions why Google is giving me this error message?
Google's error message includes a project ID. The Google Developers Console has a project ID for each project. These two project IDs didn't match. When you create a project in the Google Developers Console you get a "Client ID" and a "Client secret." You can then enter or change these in the Firebase Console by selecting your project, then selecting "Auth" in the left column, then selecting the "SIGN-IN METHOD" tab, then select "Google," then click the arrow to open "Web SDK configuration (optional)." You'll then be able to change the "Web client ID" and the "Web client secret."
After hours I found solution, may be help
At the link: https://console.cloud.google.com/apis/credentials?project={your-project}

Twitter Streaming API query does not recognize authentication

From my google chrome browser I enter:
https://stream.twitter.com/1.1/statuses/filter.json?track=canucks
I get a window "Authentication Required". I have set up a Developer app in my twitter account. I enter my twitter User Name and my Password, and press Log In, but it keeps giving me the same Authentication Window. Any ideas what the problem could be?
In the Authentication Required window I see the text:
"The server https://stream.twitter.com:443 requires a username and password. The server says: Firehose."
The problem is that authorization with header info is needed. It is more complicated than the simple URL above. It is best done by writing some code with the authorization header needed, along with the above URL.