Re: Google OAuth 2.0 Policy Compliance Error durin...

winner8 · 09-04-2024 01:03 PM

Hi,

I’m working on integrating Google OAuth 2.0 into my application for Gmail API, and I’m facing an issue that I can’t seem to resolve. Here’s a detailed breakdown of what I’ve done and the problem I’m encountering:

My app is in testing mode, and it’s set to external.
I’ve added my email (and other users) to the list of test users.
My scopes are restricted, but as a test, I removed them and added only a non-sensitive scope, and still had the issue.
The OAuth consent screen is fully configured with the correct details, including the authorized domain and redirect URI.
DNS settings and redirection from api.mydomain.com to my backend work (an Azure function app).
In the Google Cloud Console, I set up the OAuth consent screen with mydomain.com as the authorized domain and https://api.mydomain.com/api/oauth/callback as the redirect URI.

Note: For privacy in this forum, I’m not showing my actual domain—so when I say mydomain, it represents my real domain.

This is the URL I used to obtain the authorization code. I have URL-encoded the redirect URI (and the client_id here isn't real, I just want to show the format):

https://accounts.google.com/o/oauth2/v2/auth?client_id=7045-5863r8r.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fapi.mydomain.com%2Fapi%2Foauth%2Fcallback&scope=profile%20email&response_type=code&access_type=offline

After navigating to this URL, I can successfully sign in, and I receive the authorization code at the callback endpoint (/api/oauth/callback)

But when I try to exchange the authorization code for an access token using the following cURL command:

curl -v -X POST https://oauth2.googleapis.com/token ^
-d "code=<AUTH_CODE>" ^
-d "client_id=<CLIENT_ID>" ^
-d "client_secret=<CLIENT_SECRET>" ^
-d "redirect_uri=https%3A%2F%2Fapi.mydomain.com%2Fapi%2Foauth%2Fcallback" ^
-d "grant_type=authorization_code"

I receive the error:

{
  "error": "invalid_request",
  "error_description": "\nYou can’t sign in to this app because it doesn’t comply with Google’s OAuth 2.0 policy for keeping apps secure.\n\nYou can let the app developer know that this app doesn’t comply with one or more Google validation rules.\n"
}

Could this error be related to some other compliance check from Google that I’m not aware of? Do I need to submit the app for verification, even though I’m in testing mode and only using test users?

Any help would be greatly appreciated!

Manish_B

Hello @winner8,

Thank you for contacting Google Cloud Community.

You need to go through verification before you launch a user-facing app. You can continue to build and test your app while waiting to complete verification. When your app is successfully verified, the unverified app screen is removed from your client.

You don't need to go through verification for the following kinds of apps:

Apps in development: if your app is experimental or a test build, you don't need to go through verification unless you decide to launch it to the public.
OAuth-based plugins: if you're setting up an OAuth-based plugin for a popular platform, such as SMTP for WordPress, you don't need to go through the verification process.
Internal apps: if your app is an internal web app for users in the same G Suite domain and the app is associated with a Cloud Organization that all of your users belong to, you don't need to go through verification. For more information, see public and internal applications.

The error shown here clearly mentions that your app doesn’t comply with Google’s OAuth 2.0 policy for keeping apps secure. If you were using an app and you were redirected here from an error page, reach out to the app developer directly to make them aware of the situation. The app developer may need to take action before you and other new users can access it.

Please refer to this Doc for more information regarding how to Comply with OAuth 2.0 Policies.

I hope the above provided information is helpful 🙂

Thanks & Regards,
Manish Bavireddy.

winner8

I haven't launched my app though, it is in "testing" on the OAuth Consent Screen. How can I use and test my app with Gmail API if I can't get the access token?

Manish_B

Hello @winner8,

Thank you for your response.

Could you please go through this and let me know if this resolves your issue. If not, please reach out to Google Cloud Support as it requires more specific debugging and analysis.

Thanks & Regards,
Manish Bavireddy

winner8

I read the page you sent and the one thing I hadn't done was use Google Search Console to verify ownership of my domain. However, once I completed that step and it said my domain was verified, I still got the same error as before. My Google Cloud redirect URI is a subdomain of my authorized/verified domain, and it is forwarded to the backend URL hosted on Azure (*.azurewebsites.net domain). From the page you sent, it looks like I shouldn't have to verify the Azure domain. I have already contacted Google Cloud Support and I'm waiting for a response. Thank you.

hasnen52

@winner8 let me know once you resolve. i am also facing same issue.

winner8

I will...I've been in contact with Google support for a while now trying to get this resolved and nothing has worked so far. In progress...

hasnen52

I have fixed,
Name : Hasnen Laxmidhar, ping me, i will guide you.

AMNYA

Can you help everyone by stating how?

winner8

I heard back from Google that manually using copy/paste with an authorization code and exchanging it for tokens is deprecated. So now I will work on integrating the token exchange within my Azure Function.

hasnen52

@winner8 facing same issue

You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.'You can let the app developer know that this app doesn't comply with one or more Google validation rules.

angelxmoreno

This is pretty old but comes up in search results for this issue so I'll post my findings. First off, my specific scenario:

1. frontend initiates a Google Login and requests a "code".
2. frontend sends code the backend
3. backend tries to exchange code but gets the above error

I fixed it by setting the redirect uri on both apps to "postmessage". If you are using OAuth2Client from googleapis in a node project, do not use:

googleOAuthClient.getToken(code)

and instead use:

googleOAuthClient.getToken({
code,
redirect_uri: 'postmessage',
})

Google OAuth 2.0 Policy Compliance Error during token exchange