GoogleOauth2: "Invalid credentials". about api-umbrella HOT 9 OPEN

Those redirect URIs and origins look exactly like what we have working. But just to double check, do you have those URLs prefixed with https:// (or http:// depending on your setup)? We do have the full URLs listed, including the https:// prefix.

And then in your /etc/api-umbrella/api-umbrella.yml config file, does your setup look something like this?

web:
  admin:
    auth_strategies:
      google:
        client_id: XXXXXX.apps.googleusercontent.com
        client_secret: XXXXXXX

from api-umbrella.

Alright, great. I will double check.

Can anyone please help update/verify the following wiki documentation?
https://github.com/NREL/api-umbrella/wiki/Authentication-Strategies

from api-umbrella.

Hm, our settings seem correct, as outlined above. The redirect takes us back to our website, but the message still indicates invalid credentials.

from api-umbrella.

API Umbrella seems to prefer HTTPS by default, and we have not purchased an SSL certificate. Could it be related to us not having a validated SSL certificate?

from api-umbrella.

Sorry again for the delay. I ran through this setup process on a machine from scratch and updated the auth strategies documentation (thanks again for getting that started). However, I think the instructions mostly match what you had discovered, so I'm a little puzzled why this isn't working for you. Mine also worked with my local machine having a self-signed SSL certificate, so I don't think the SSL stuff should make a difference.

Just to verify, your form and confirmation looked like these?

And then your /etc/api-umbrella/api-umbrella.yml ended up looking something like?

web:
  admin:
    initial_superusers:
      - [email protected]
    auth_strategies:
      github:
        client_id: YOUR_ID
        client_secret: YOUR_SECRET
      google:
        client_id: YOUR_ID.apps.googleusercontent.com
        client_secret: YOUR_SECRET

Assuming that all looks correct, is there anything in the /var/log/api-umbrella/supervisor/web-puma.log log file if you tail that while logging in via Google?

from api-umbrella.

I have double and triple checked the settings, and even re-created the Client ID. I have tried with and without trailing slashes.

Could this be related to HTTPS (i.e. we do not have an HTTPS certificate for the domain)?

from api-umbrella.

D'oh! I think I just realized what the issue is. The omniauth-google-oauth2 strategy recently made some changes that require you enable the "Contacts API" and "Google+ API" services in the API console:

Note: You must enable the "Contacts API" and "Google+ API" via the Google API console. Otherwise, you will receive an OAuth2::Error stating that access is not configured when you attempt to authenticate.

I totally forgot that this recently bit us too after we upgraded omniauth-google-oauth2 (but since you only have to do this once, I had forgotten). Very sorry for not realizing this sooner, but hopefully this explains things and makes things work for you (finally!). I've updated our own documentation, but let me know if that does the trick or not.

from api-umbrella.

@brylie Just curious and wanted to follow up: Did you have a chance to see if my last comment about enabling the "Contacts API" and "Google+ API" in the Google API console fixed things for you?

from api-umbrella.

I get similar error with all APIs mentioned enabled.
I can see requests going to Google+ API and all of them fail with 403.

Same client ID and secret are working with another oauth2 app.
I removed username_is_email: true from the config and it worked. Not sure why this part was in the config, maybe just came from the documentation example.

from api-umbrella.