I had a similar issue last week, and tracked it down to the state field being overwritten by multiple calls to getLoginUrl(). Each time you call getLoginUrl(), a new state token is generated in the SDK and stored in the $_SESSION (it’s just a random value), so if you call it twice and the user … Read more
To fix, I revoked access to the app at https://accounts.google.com/IssuedAuthSubTokens and retried after which, I was able to access the API correctly. Despite having the scope in the list, and the scope showing up on Google’s OAuth2 grant page, the additional scope wasn’t granted.
I think G does this when your app requests a token and there is still a valid access or refresh token for the user for the scopes in question. The solution is to revoke tokens when you’re done with them (either on user logout or immediately after authenticating the user) by issuing this request: https://accounts.google.com/o/oauth2/revoke?token={token} … Read more
Yes, it is possible to use OAuth2 without a callback URL. The RFC6749 introduces several flows. The Implicit (now deprecated[1]) and Authorization Code grant types require a redirect URI. However the Resource Owner Password Credentials (deprecated as well[1]) grant type does not. Since RFC6749, other specifications have been issued that do not require any redirect … Read more
JWT (RFC7519) is just a compact way to safely transmit claims from an issuer to the audience over HTTP. JWT can be: signed (JWS – RFC7515) encrypted (JWE – RFC7516) signed then encrypted (this order is highly recommended). The whole JWS is the payload of the JWE encrypted then signed. It makes sense to encrypt … Read more
Spring Security 5 uses a modernized password storage, see OAuth2 Autoconfig: If you use your own authorization server configuration to configure the list of valid clients through an instance of ClientDetailsServiceConfigurer as shown below, take note that the passwords you configure here are subject to the modernized password storage that came with Spring Security 5. … Read more
At the time of writing, Less Secure Apps is no longer supported by google. And you can’t use your google account password. You’re gonna have to generate a new app password. App passwords only work if 2-step verification is turned on. Follow this steps to get the app password Go to https://myaccount.google.com/security Enable 2FA Create … Read more
I’ve had this issue for a while and came up with a proper solution. String token = GoogleAuthUtil.getToken(this, accountName, scopeString, appActivities); This line will either return the one time token or will trigger the UserRecoverableAuthException. On the Google Plus Sign In guide, it says to open the proper recovery activity. startActivityForResult(e.getIntent(), RECOVERABLE_REQUEST_CODE); When the activity … Read more
The answer shows how to send email with gmail API and python. Also updated the answer to send emails with attachment. Gmail API & OAuth -> no need to save the username and password in the script. The first time the script opens a browser to authorize the script and will store credentials locally (it … Read more