Google auth is invalid for this user. #4698
Comments
|
What are you using for the id/access_token? How to you acquire them? |
|
I acquire them using the Google Oauth 2.0 Playground website, https://developers.google.com/oauthplayground/. When i test this using the Playground on this url |
|
And the id corresponds the the acquired ID? |
|
The id is my email username. You dont acquire an id from that endpoint but you get the an id_token, is the id the id_token? I thought from code here
It check i passed in the id_token or the access_token. Clearly though using the id_token doesn't seem to work when testing with the Google OAuth 2 playground. I will try get the access_token with code and see if that works. It probably should work first because my app have the Google App ID on the client side, and when i login, i need to authorize that. When i use playgrounds, am authorizing a different app. This is the part i didnt understand how parse is working, for which app configured on google does it verifies the token? |
|
The id is this case is clearly not the email username, but the user id for the google services, provided by google after you make your oauth authentication calls. If you have an id_token, you can pass id/id_token pair instead of id/access_token, both are supported |
|
Am using the I tried sending that and still i get the same error. Am getting a 404 response code with the error :
I have used the access token and still same error. I have run out things to test now. |
|
Using the app i can retrieve my profile details on this endpoint |
|
Yes because you need to provide the user ID from google. As long as you pass the id as an email, this won’t work. As for how to acquire the id for the google user, check the google login documentation. See: https://developers.google.com/identity/protocols/OAuth2 |
|
Am not passing the id as email, am using the client id from Google API console. Using Postman, i can make the same request using the access token and get back the following :
Which is correct, but somehow the server returns a 404 not found when i use the same token to login with parse. How can i debug this locally? I might just need to go through the code locally and put a break point and see whats really happening. |
|
Clearly the issue is not with the token. The token works as i have used it in two places, using Postman locally and on the Google OAuth 2 Playground. I have also decoded the id_token and its a valid jwt token. So those are valid and not the issue. |
|
As per the documentation, parse requires a user In your case, given the response, you should probably pass the |
|
Still that does not work |
|
This should work, double check your parameters, id, id_token or access_token and make sure you pass the right values. I can assure you it works, as we use it in production currently. |
|
Nope, checked and re-checked. No joy. Why do i get a 404 not found from parse? |
|
what is your payload that you send? |
|
application/json This works fine for Facebook
|
|
Logs from Heroku
|
|
I'm not sure why but the id that you have in your logs don't correspond with the 2112694148092739840900 != 112694148092739840900 is that normal? |
|
Also when I try the access token against the validation endpoints, it yeilds an error. |
|
I had invalidated the token |
|
Try this, token in valid |
|
so the id value that need to be passed is |
|
Yes, am passing that and still doesnt work |
|
can you provide the logs? in the preivous logs that wasn'T what was passed. |
|
|
|
In your logs, your access token is invalid. |
|
Dankie, working, sent an expired token. I think the docs need to be updated to reflect what sort of an id is required. The issue was the id was not the client id from Google Console but rather the
And also think a 404 doesnt reflect the actual error to the client. A clear message like an invalid token or token expired would be helpful |
That's what I thought, this is why I suggested multiple times that you double check what you were sending.
I've always mentined the ID as the user ID (which is also the subject of the jwt), you can retrieve the user ID easily following the google documentation: https://developers.google.com/identity/sign-in/ios/people
The sub field here is what is being sent back by the google endpoints which we validated against to ensure the validity and ownership of the token. All other authentication providers use ta similar strategy. The code doesn't need a refactoring at that point, but if you feel you can make it better, feel free to open a PR.
THe message is actually quite clear, the data you're sending is invalid. Again, if you feel this can be improved, open a PR. |
|
Alright, thanks, will do a PR. My thinking is there's no need for an extra step to validate the sub field once you get the response from Google. If you are able to sign in a user in the first place then, that should be good enough without having to do extra validations. If thats a malicious user, that user already can get an access token to retrieve the details they require anywhere. Also getting the sub field means an extra API call that can be avoided. |
|
What guarantees that the data belongs to the right user? Without validating the sub, anyone could impersonate any other user after all... any data coming from a client is untrusted by default. So we will not change this validation nor the logic in this adapter. |
|
Hey I'm having the same issue. It show's Error: Google auth is invalid for this user I have the response, but when I pass googleId and access token, it show's like this. And the error looks like this
|
We use GitHub Issues for bugs.
If you have a non-bug question, ask on Stack Overflow or Server Fault:
If you have a vulnerability disclosure, please follow our policy available here https://github.com/parse-community/parse-server/blob/master/SECURITY.md
You may also search through existing issues before opening a new one: https://github.com/parse-community/parse-server/issues?utf8=%E2%9C%93&q=is%3Aissue
--- Please use this template. If you don't use this template, your issue may be closed without comment. ---
Issue Description
Am trying to login with Google. I have used the Google OAuth 2 Playground and got an access token. Am passing the access token in the authData as follows
{ "username": "josephkandi", "authData": { "google": { "id": "[email protected]" "access_token": "token-here" } } }Steps to reproduce
My app is hosted on Heroku, so i have used the parse-server example, https://github.com/parse-community/parse-server-example.
I have updated my packages.json to the latest as follows :
"dependencies": { "express": "^4.16.3", "kerberos": "0.0.23", "parse": "^1.11.1", "parse-server": "^2.7.4" }I use Postman and send a POST request to
https://my-parse-server-url/parse/users/Expected Results
Am supposed to get 201 created but instead i get the error :
{ "code": 101, "error": "Google auth is invalid for this user." }Actual Outcome
What is happening instead.
Environment Setup
Server
Database
Logs/Trace
2018-04-04T20:07:18.458649+00:00 app[web.1]: verbose: REQUEST for [POST] /parse/users/: { 2018-04-04T20:07:18.458670+00:00 app[web.1]: "username": "josephkandi", 2018-04-04T20:07:18.458672+00:00 app[web.1]: "authData": { 2018-04-04T20:07:18.458674+00:00 app[web.1]: "google": { 2018-04-04T20:07:18.458676+00:00 app[web.1]: "id": "myemail", 2018-04-04T20:07:18.458679+00:00 app[web.1]: "access_token": "ya29.GluTBbIljEVZ8ZuPfNZg0l8BaoylumMqMmkFLFpZ9msncMvKXWh_h2ofrDQ9I-qj0-CTSQyIWslepBwe1ygB_y0WzatkrnBO0UovdVwbv26iRFtYaf9gkn5omSvu" 2018-04-04T20:07:18.458681+00:00 app[web.1]: } 2018-04-04T20:07:18.458682+00:00 app[web.1]: } 2018-04-04T20:07:18.458685+00:00 app[web.1]: } method=POST, url=/parse/users/, host=parse.peruzal.com, connection=close, accept-encoding=gzip, cf-ipcountry=ZA, x-forwarded-for=41.145.73.111, 172.68.186.57, cf-ray=40666681aa3f8064-CPT, x-forwarded-proto=http, cf-visitor={"scheme":"https"}, x-parse-application-id=my-app-id, content-type=application/json, cache-control=no-cache, postman-token=ab113afa-78c2-4414-962d-ce51d03bddca, user-agent=PostmanRuntime/7.1.1, accept=*/*, cookie=__cfduid=d8327f1e50a2c7db19b3091e5f4b147501522793473, cf-connecting-ip=41.145.73.111, x-request-id=76657b5e-e223-4292-af15-249a8f75fb94, x-forwarded-port=80, via=1.1 vegur, connect-time=1, x-request-start=1522872438434, total-route-time=0, content-length=261, username=josephkandi, id=myemail, access_token=ya29.GluTBbIljEVZ8ZuPfNZg0l8BaoylumMqMmkFLFpZ9msncMvKXWh_h2ofrDQ9I-qj0-CTSQyIWslepBwe1ygB_y0WzatkrnBO0UovdVwbv26iRFtYaf9gkn5omSvu 2018-04-04T20:07:18.569037+00:00 app[web.1]: error: Error generating response. ParseError { code: 101, message: 'Google auth is invalid for this user.' } code=101, message=Google auth is invalid for this user. 2018-04-04T20:07:18.572271+00:00 app[web.1]: error: Google auth is invalid for this user. code=101, message=Google auth is invalid for this user. 2018-04-04T20:07:18.574979+00:00 heroku[router]: at=info method=POST path="/parse/users/" host=parse.peruzal.com request_id=76657b5e-e223-4292-af15-249a8f75fb94 fwd="41.145.73.111,172.68.186.57" dyno=web.1 connect=1ms service=138ms status=404 bytes=591 protocol=httpThe text was updated successfully, but these errors were encountered: