The hexdocs show

config :ueberauth, Ueberauth,
  providers: [
    google: [ { Ueberauth.Strategy.Google, [] } ]
  ]

It should be, like in the README,

config :ueberauth, Ueberauth,
  providers: [
    google: { Ueberauth.Strategy.Google, [] }
  ]

I'm opening this issue to begin discussing mobile app flow for google oauth2, which I feel is either under-documented or unsupported (and needs to be documented as unsupported).

Problem:

This library calls for both a client_id and client_secret with no mention of how to work without a client_secret. When generating a Oauth client ID in the google developer console, neither iOS app nor Android app generate a client secret.

Scenario:

Ueberauth is used for an API that backs an android app. Google sign-in is added to the app. Following the android documentation this will bring up native components rather than using a web-redirect flow. This is still a valid oauth scenario and something which an API could potentially desire.

I've manually implemented this auth flow in Python previously, and I'd be happy to help if there is development effort needed here.

oauth2 was semi recently upgraded to 2.0 with a fix that seems important and relevant. Would be nice to also include that in a future release.

Also, thanks for the great library! 👋 🎉

Hi,

I tried to set up Ueberauth with Google auth recently and ran into an error due to hackney not running.

The ueberauth example app seems to run fine, so I'm wondering what I might be missing (or what may have changed recently that is not reflected in the example app) ?

Sorry this is probably an obvious question but how would I request an OAuth token with scopes which are not under userinfo? For instance, the drive scope? I've tried sticking drive in the default scopes and messing around with the userinfo_endpoint parameter but neither of these seem to work. Both of these give 400 errors on the Google side.

Is this library only designed to give the userinfo scopes and I'm missing something fundamental about how OAuth is intended to work?

Thanks in advance and sorry for the stupid questions!

I sometimes get an exception in my logs, "No code received" for my app when running in production, but I can never reproduce it. Does anyone know what might cause a missing_code "No code received" error to occur?

Here's my config: (client_id and client_secret omitted)

config :ueberauth, Ueberauth,
  providers: [
    google: {
      Ueberauth.Strategy.Google,
      [
        request_path: "/login",
        callback_path: "/auth/google/callback",
        default_scope: "email profile"
      ]
    }
  ]

Is there any chance for release including changes introduced since 0.8 that include support for reading client_id and client_secret from the env vars?

Looking at https://developers.google.com/identity/protocols/OAuth2WebServer, I see it's possible to pass state as a parameter during the oauth process, and after the oauth process completes, google will pass it back to your application.

I saw that this lib has support for the other parameters like access_type and such, I was wondering if it's possible to add support to add state dynamically as well?

Hello folks.

In the README it's written:

the hd parameter to suggest a particular Google Apps hosted domain (caution, can still be overridden by the user)

If I look at the Ruby Google OAuth2 Omniauth strategy (Ueberauth philosophy is based on Omniauth for people who don't know), we can see that the strategy is validating the hd parameter during the callback phase and raising an exception if the domain is invalid:
https://github.com/zquestz/omniauth-google-oauth2/blob/master/lib/omniauth/strategies/google_oauth2.rb#L213

So my question is: do you think this strategy should also validate the hd parameter like the Ruby one?
Would you accept a PR which would implement such behaviour?

Thanks!

README.md states:

By default the requested scope is "profile".

However, the default scope actually seems to be email: https://github.com/ueberauth/ueberauth_google/blob/master/lib/ueberauth/strategy/google.ex#L6

Thanks! Not sure which of the two should be updated.

Without access_type, I'm not able to get a refresh token for offline access, so I patched the lib for some customer parameters that I wanted.

  @doc """
  Handles initial request for Google authentication.
  """
  def handle_request!(conn) do
    scopes = conn.params["scope"] || option(conn, :default_scope)
    # added response_type, access_type, and approval_prompt
    opts = [ scope: scopes, response_type: "code", access_type: "offline", approval_prompt: "force" ]
    if conn.params["state"], do: opts = Keyword.put(opts, :state, conn.params["state"])
    opts = Keyword.put(opts, :redirect_uri, callback_url(conn))

    redirect!(conn, Ueberauth.Strategy.Google.OAuth.authorize_url!(opts))
  end

What is the proper way to pass custom options? If this isn't supported, what can I do to help improve the library? Thanks!

I got all my IDs from the Google console, plugged them into the sample app and I got this error (it's at the very end). After I enabled the API things worked fine. I'm not sure if this is something that can be handled by the library itself (i.e. this case, when API is not turned on) or in the controller.

** (CaseClauseError) no case clause matching: {:ok, %OAuth2.Response{body: %{"error" => %{"code" => 403, "errors" => [%{"domain" => "usageLimits", "extendedHelp" => "https://console.developers.google.com/apis/api/plus/overview?project=889214574482", "message" => "Access Not Configured. Google+ API has not been used in project 889214574482 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/plus/overview?project=889214574482 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.", "reason" => "accessNotConfigured"}], "message" => "Access Not Configured. Google+ API has not been used in project 889214574482 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/plus/overview?project=889214574482 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry."}}, headers: [{"Vary", "X-Origin"}, {"Content-Type", "application/json; charset=UTF-8"}, {"Date", "Sat, 16 Apr 2016 23:07:47 GMT"}, {"Expires", "Sat, 16 Apr 2016 23:07:47 GMT"}, {"Cache-Control", "private, max-age=0"}, {"X-Content-Type-Options", "nosniff"}, {"X-Frame-Options", "SAMEORIGIN"}, {"X-XSS-Protection", "1; mode=block"}, {"Server", "GSE"}, {"Alternate-Protocol", "443:quic"}, {"Alt-Svc", "quic=":443"; ma=2592000; v="32,31,30,29,28,27,26,25""}, {"Accept-Ranges", "none"}, {"Vary", "Origin,Accept-Encoding"}, {"Transfer-Encoding", "chunked"}], status_code: 403}}

I set up my application similar to the example application.

I can reach the consent screen. However, right after I click "allow", I get an error:

%Ueberauth.Failure{errors: [%Ueberauth.Failure.Error{message: 403,
   message_key: "OAuth2"}], provider: :google,
 strategy: Ueberauth.Strategy.Google}

How do I get more details about this error so that I can troubleshoot?

EDIT: It works if I remove default_scope: "https://www.googleapis.com/auth/calendar" from the config. Is there an issue with this scope with regards to this library?

Hi!

I have noticed that after #82 the state query parameter is set internally by Ueberauth to perform CSRF validation.

The question now is, can we still pass custom state data during the OAuth process? Does anyone know how?

It seems that whatever you pass via the state query param gets overwritten with Ueberauth's CSRF token. This breaks our app logic, which uses state to know where to redirect users after login.

Thanks!

Using NGINX to do SSL offloading there doesn't seem to be a way to make the OAuth request with a callback URI that uses HTTPS instead of HTTP.

Is there any way to make it possible to either manually specify HTTPS or a Callback URI?

Hi all,

currently the guide shows that we configure the runtime environment like this: https://github.com/ueberauth/ueberauth_google/blob/master/README.md#installation

Use that if you want to read client ID/secret from the environment variables in the run time:

config :ueberauth, Ueberauth.Strategy.Google.OAuth,
client_id: {System, :get_env, ["GOOGLE_CLIENT_ID"]},
client_secret: {System, :get_env, ["GOOGLE_CLIENT_SECRET"]}

Should we put the config in config/runtime.exs like the following:

config :ueberauth, Ueberauth.Strategy.Google.OAuth,
client_id: System.get_env("GOOGLE_CLIENT_ID"),
client_secret: System.get_env("GOOGLE_CLIENT_SECRET")

I've hit a clause error I'd like to document here for anyone to pick up. Also, I might find some time to tackle this myself later. I don't have much context, since it was simply picked up by Sentry.

From just looking at the exception, my best guess is that 500 is the status code from google, and ueberauth isn't handling that API failure?

Elixir.CaseClauseError: no case clause matching: {:ok, %OAuth2.Response{
  body: %{}, 
  headers: [
    {"vary", "X-Origin"}, 
    {"content-type", "application/json; charset=UTF-8"}, 
    {"date", "Tue, 25 Jul 2017 14:15:47 GMT"}, 
    {"expires", "Tue, 25 Jul 2017 14:15:47 GMT"}, 
    {"cache-control", "private, max-age=0"}, 
    {"x-content-type-options", "nosniff"}, 
    {"x-frame-options", "SAMEORIGIN"}, 
    {"x-xss-protection", "1; mode=block"}, 
    {"server", "GSE"}, 
    {"alt-svc", "quic=\":443\"; ma=2592000; v=\"39,38,37,36,35\""}, 
    {"accept-ranges", "none"}, 
    {"vary", "Origin,Accept-Encoding"}, 
    {"transfer-encoding", "chunked"}
  ], 
  status_code: 500}}
  File "lib/ueberauth/strategy/google.ex", line 126, in Ueberauth.Strategy.Google.fetch_user/2
  File "lib/ueberauth/strategy.ex", line 299, in Ueberauth.Strategy.run_callback/2
  File "web/controllers/auth_controller.ex", line 1, in Auth.AuthController.phoenix_controller_pipeline/2
    defmodule Auth.AuthController do
  File "lib/auth/endpoint.ex", line 1, in Auth.Endpoint.instrument/4
    defmodule Auth.Endpoint do
  File "lib/phoenix/router.ex", line 261, in Auth.Router.dispatch/2
  File "web/router.ex", line 1, in Auth.Router.do_call/2
    defmodule Auth.Router do
  File "lib/plug/error_handler.ex", line 64, in Auth.Router.call/2
  File "lib/auth/endpoint.ex", line 1, in Auth.Endpoint.phoenix_pipeline/1
    defmodule Auth.Endpoint do

Is there any plan to release 0.8 soon?

Hello, seem like it is quite impossible to pass default prompt param in provider options. It works only if prompt is passed as a query param. Btw, to get refresh_token from google you need to pass both prompt=consent and access_type=offline simultaneously. approval_prompt Mentioned in docs doesn't work for this purpose.

My config:

config :ueberauth, Ueberauth,
  providers: [
    google: {Ueberauth.Strategy.Google, [default_scope: "emails profile plus.me", approval_prompt: "force", access_type: "offline"]}
  ]

Response from Google:

Error: invalid_scope

Some requested scopes were invalid. {valid=[https://www.googleapis.com/auth/userinfo.profile], invalid=[emails, plus.me]}

We have different strategies in an umbrella app that needs multiple to get callback in specific routes (apps). We tried change base_path, callback_url and callback_path without success.
Our Google OAuth Client contains a common Authorized JavaScript origins and multiple Authorized redirect URIs.
Our request succeeds but only on redirects to primary url.

How are we supposed to send the token to the frontend application since the frontend application will have to open a new window for Google authentication to work properly. So, when we send the token to the frontend from the new window, only the token will be rendered in the window as json.

For example, in my backend application, I ping localhost:4000/api/v1/auth/google to get the token. But when I ping it from my frontend application, which is running on localhost:3000, I get something like the following:

I'm guessing this happens because I'm not requesting it from a new window! But, if I request it from a new window, how will the token be sent to the parent window?

It's been almost one year since the latest version, 0.7, has been released, and some bug fixes have been made since then. I think it would make sense to release the current code as the latest version on Hex.
Actually, I was struggling to deal with the problem that has been fixed by #55, as 0.7 does not include it. So, I'd appreciate if the new version will be released 😃

I'm having issue with Error 400: redirect_uri_mismatch

The url is properly set in Google Dev Console, however uberauth seems to request the url with HTTP instead of HTTPS. Reading the source leads me to this comment where I can specify an option to override the callback scheme.

https://github.com/ueberauth/ueberauth/blob/7ebc0aeeb17d0953bdc53a01018307fb03e0b189/lib/ueberauth.ex#L182-L186

config :ueberauth, Ueberauth,
  providers: [
    google:
      {Ueberauth.Strategy.Google, [default_scope: "email profile", callback_scheme: "https"]}
  ]

However the callback was still sent with HTTP. I'm using Cloudflare as https reverse proxy.

Unlike Github, Google's OAuth automatically appends a "/#" to my redirect URI? Why is this happening and how do I get rid of it?

From what I could understand with my limited experience with elixir and phoenix, there is no anti forgery token currently created and verified, please correct me if I am wrong and didn't know where to look.

That's something that's recommended by google open id implementation guide .

You must protect the security of your users by preventing request forgery attacks. The first step is creating a unique session token that holds state between your app and the user's client. You later match this unique session token with the authentication response returned by the Google OAuth Login service to verify that the user is making the request and not a malicious attacker. These tokens are often referred to as cross-site request forgery (CSRF) tokens.

The library does not seem to work with the rather new (Google Identity Service)[https://developers.google.com/identity/gsi/web/guides/overview].

Example of the callback request:

[info] POST /auth/google/callback
[debug] Processing with AppWeb.OauthController.callback/2
  Parameters: %{"clientId" => "xyz", "credential" => "jwt_from_google", "g_csrf_token" => "123123213", "provider" => "google", "select_by" => "btn"}
  Pipelines: [:browser]
%Plug.Conn{
  adapter: {Plug.Cowboy.Conn, :...},
  assigns: %{current_user: nil},
  body_params: %{
    "clientId" => "xyz",
    "credential" => "jwt_from_google",
    "g_csrf_token" => "1213123",
    "select_by" => "btn"
  },
  cookies: %{

So it seems nothing gets parsed and assigned to the conn.

Hello folks.

Right now I'm getting:

%Ueberauth.Failure.Error{
      message: "Cross-Site Request Forgery attack",
      message_key: :csrf_attack
    }

but only on Safari and Safari Mobile.

Everything is working fine on Chrome and Firefox.
I'm trying to inspect what is done differently in this browser...

Our use case requires configuring provider details via environment variables. Planning to fork the library and file a PR for this change, which involves changing Ueberauth.Strategy.Google.OAuth.client. Is it something you’ll take?

Thanks in advance.

I'm getting the following exception / issue when the call to get an access token is made (id and secret removed by me):

Request: GET /auth/google/callback?code=4/Ra_GS_u-NB3DstQ8QjK5a7Ne9OXfsrPSY54VM0ciUSQ
** (exit) an exception was raised:
    ** (KeyError) key :access_token not found in: %OAuth2.Client{authorize_url: "/o/oauth2/v2/auth", client_id: "MY_ID", client_secret: "MY_SECRET", headers: [], params: %{}, redirect_uri: "http://2t77wg.xip.io:4000/auth/google/callback", site: "https://accounts.google.com", str
ategy: Ueberauth.Strategy.Google.OAuth, token: %OAuth2.AccessToken{access_token: nil, expires_at: nil, other_params: %{"error" => "invalid_request", "error_description" => "client_secret is missing."}, refresh_token: nil, token_type: "Bearer"}, token_method: :post, token_url: "https://www.googleapis.com/oauth2/v4/token"}
        (ueberauth_google) lib/ueberauth/strategy/google.ex:31: Ueberauth.Strategy.Google.handle_callback!/1
        (ueberauth) lib/ueberauth/strategy.ex:299: Ueberauth.Strategy.run_callback/2
        (no_maw_meetings) web/controllers/auth_controller.ex:1: NoMawMeetings.AuthController.phoenix_controller_pipeline/2
        (no_maw_meetings) lib/no_maw_meetings/endpoint.ex:1: NoMawMeetings.Endpoint.instrument/4
        (no_maw_meetings) lib/phoenix/router.ex:261: NoMawMeetings.Router.dispatch/2
        (no_maw_meetings) web/router.ex:1: NoMawMeetings.Router.do_call/2
        (no_maw_meetings) lib/no_maw_meetings/endpoint.ex:1: NoMawMeetings.Endpoint.phoenix_pipeline/1
        (no_maw_meetings) lib/plug/debugger.ex:122: NoMawMeetings.Endpoint."call (overridable 3)"/2
        (no_maw_meetings) lib/no_maw_meetings/endpoint.ex:1: NoMawMeetings.Endpoint.call/2
        (plug) lib/plug/adapters/cowboy/handler.ex:15: Plug.Adapters.Cowboy.Handler.upgrade/4
        (cowboy) src/cowboy_protocol.erl:442: :cowboy_protocol.execute/4

Not sure what's going on. I've looked around in the source code and it looks like the client_secret is being sent. I am new to Elixir!

Steps to Reproduce

In our error tracker, we get sometimes see a CaseClauseError in Ueberauth.Strategy.Google.OAuth.get_access_token/2 when Google responds with a 503 error. The response's body only has an "error" key, but doesn't have the "error_description" key. Since this is an internal error from Google, we cannot reproduce it ourselves. The response looks like this:

{:error,
 %OAuth2.Response{
   status_code: 503,
   headers: [
     {"cache-control", "no-cache, no-store, max-age=0, must-revalidate"},
     {"expires", "Mon, 01 Jan 1990 00:00:00 GMT"},
     {"date", "Fri, 28 Jul 2023 16:55:20 GMT"}
	 # more headers omitted for readability
   ],
   body: %{"error" => "internal_failure"}
 }}

It fails to be matched against one of the patters from

Expected Result

The get_access_token function returns a well formatted error like in case of other handled error responses. Since the error description is missing in the response, the short error code could be repeated in place of the description.

Actual Result

A CaseClauseError is raised.

Steps to Reproduce

Sorry unknown steps to reproduce.

Expected Result

Error should be caught and handled.

Actual Result

We got this stack trace, which suggests that a certain class of OAuth2 error isn't being handled properly.

** (exit) an exception was raised:
    ** (CaseClauseError) no case clause matching: {:error, %OAuth2.Error{reason: :closed}}
        (ueberauth_google 0.10.1) lib/ueberauth/strategy/google/oauth.ex:54: Ueberauth.Strategy.Google.OAuth.get_access_token/2
        (ueberauth_google 0.10.1) lib/ueberauth/strategy/google.ex:45: Ueberauth.Strategy.Google.handle_callback!/1
        (ueberauth 0.7.0) lib/ueberauth/strategy.ex:364: Ueberauth.Strategy.run_handle_callback/2

The code blowing up is:

  def get_access_token(params \\ [], opts \\ []) do
    case opts |> client |> OAuth2.Client.get_token(params) do
      {:error, %{body: %{"error" => error, "error_description" => description}}} ->
        {:error, {error, description}}
      {:ok, %{token: %{access_token: nil} = token}} ->
        %{"error" => error, "error_description" => description} = token.other_params
        {:error, {error, description}}
      {:ok, %{token: token}} ->
        {:ok, token}
    end
  end

Steps to Reproduce

1. Change redirect_uri parameter to some value in config:
   config :ueberauth, Ueberauth.Strategy.Google.OAuth, redirect_uri: 'https://example.com'

2. Check network logs

Expected Result

Expected redirect_uri to be https://example.com

Actual Result

Got redirect_uri to be http://example.com

My Suspicion

My endpoint uses HTTP and I get HTTPS throught NGINX. I think the uri is resolving to the endpoint HTTP status instead of explicitly using the string I provided it.

Google's Oauth has an optional incremental authorization function, which can be turned on by sending an additional include_granted_scopes=true param (ref). This, however, is currently not supported by Überauth Google, which is a shame, as its something quite useful 😿

Hi! The project where this dependency is installed is on Elixir version 1.8.2. I have tried upgrading the version of this dependency(0.7) but the warnings persist. Does someone have insights into why this might be happening?

warning: variable "package" does not exist and is being expanded to "package()", please use parentheses to remove the ambiguity or change the variable name

warning: variable "description" does not exist and is being expanded to "description()", please use parentheses to remove the ambiguity or change the variable name

warning: variable "deps" does not exist and is being expanded to "deps()", please use parentheses to remove the ambiguity or change the variable name

warning: variable "docs" does not exist and is being expanded to "docs()", please use parentheses to remove the ambiguity or change the variable name

warning: variable "docs_extras" does not exist and is being expanded to "docs_extras()", please use parentheses to remove the ambiguity or change the variable name

@doomspork Hi, there are fixes languishing here since Dec 2016 (e.g. Elixir 1.4 warnings). Would greatly appreciate if an update is published to Hex.