Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Jan Vanuytrecht 32 posts 80 karma points
    Jun 30, 2015 @ 20:47
    Jan Vanuytrecht
    0

    Umbraco 7.3.0 Identity provider - can't get Google OAuth to work

    Hi,

    I want to link a Google Account to my BackOffice User to enable authentication via Google.

    What I've done is:

    • Create Empty MVC 4 Web project in VS2013 Install Nuget Package
    • Umbraco CMS 7.3.0-beta Install Nuget Package
    • UmbracoCms.IdentityExtensions -Pre Install Nuget Package
    • UmbracoCms.IdentityExtensions.Google -Pre

    My Google app uses these settings:

    In the owin startup class I added this line in the configure method:

    app.ConfigureBackOfficeGoogleAuth([app id], [app secret]);
    

    When I click on the "Link Google Account" button on my profile I get redirected to /umbraco.

    In fiddler I see this:

    Fiddler umbraco redirect

    When I log out after that, the login page shows: "An error occurred, could not get external login info"

  • Warren Buckley 2106 posts 4836 karma points MVP 7x admin c-trib
    Jun 30, 2015 @ 21:12
    Warren Buckley
    0

    Hello Jan
    I had this problem as well when first playing around with this stuff.

    I tried it again on a clean solution and I believe it then worked for me, so try that as option first if you can.

    But to verify my OWIN class I am using is UmbracoStandardOwinStartup that inherits from UmbracoDefaultOwinStartup

    But apart from me trying it again in a fresh install I can't remember what I done differently, but am happy to try to help you out.

    Google Console

  • Tony Cheetham 24 posts 134 karma points
    Nov 06, 2015 @ 16:12
    Tony Cheetham
    0

    Just double check that you have the owinstartup class set properly in the web.config, and then breakpoint your OWIN setup and make sure it is actually firing when the website starts.

  • Jesper Ordrup 1019 posts 1528 karma points MVP
    Feb 10, 2016 @ 22:18
    Jesper Ordrup
    0

    Testing the same and run in to exactly the same problem

    • Umbraco 7.4 rc1 install via nuget
    • UmbracoCms.IdentityExtensions installed via nuget
    • UmbracoCms.IdentityExtensions.Google installed via nuget

    Google app is setup as this:

    Authorized javascript origins : http://localhost Redirect uri : http://localhost/umbraco-google-signin

    I've added

    app.ConfigureBackOfficeGoogleAuth([client id], [client secret]);
    

    and changed web .config to point to UmbracoStandardOwinStartup

       <add key="owin:appStartup" value="UmbracoStandardOwinStartup" />
    

    I've tried linking the logged in profile but it fails silently. Using Google Chrome inspect network i see some ?error=Access_denied

    Ive tried loggin in from front but after putting in Google Credentials I'm redirected to

    http://localhost/umbraco/?error=access_denied#/

    Any advise?

    /Jesper

  • Jesper Ordrup 1019 posts 1528 karma points MVP
    Feb 11, 2016 @ 08:37
    Jesper Ordrup
    0

    So I tried adding a trailing / to the in the credentials config in the developer console

    Redirect uri : http://localhost/umbraco-google-signin http://localhost/umbraco-google-signin/

    Also tried adding it in the startup code:

      {
                ClientId = clientId,
                ClientSecret = clientSecret, 
                //In order to allow using different google providers on the front-end vs the back office,
                // these settings are very important to make them distinguished from one another.
                SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
                //  By default this is '/signin-google', you will need to change that default value in your
                //  Google developer settings for your web-app in the "REDIRECT URIS" setting
                CallbackPath = new PathString("/umbraco-google-signin/")
            };
    

    No effects...

    My observations

    It seems like the authorization goes well. Or almost. When I try to link my account, I successfully sign in. But when inspecting the network traffic I have these 3 entries:

    1) Indicating that I signed in and redirect url seems right

    https://accounts.google.com/o/oauth2/auth?scope=openid+profile+email&response_type=code&redirect_uri=http://localhost/umbraco-google-signin/&state=IJCInYRmuGkBWARsaQmfsMpe6OgZm7QBh7vd2mR6xG5ZXHvIyDUUCNrUWPdkznz1gKLY4MwBJnJmeNhnB6YmGIsIt8jm1Nk3vzatkKy3KBJaLteSx4gubpoY9hvb8R57DFVeBS6YmzP91XW-a4OCWyjedmvEWxPbj35b9wimEAG_KbNTizShTbmgV7YD-nk8_q6QNGYSxNvPejAxozWWFNd2LCwo5KukDcxtJVkK_RlhaIuaMoH5fOjMfCcWANTA&client_id=326418499831-ddprt7n58pvicc2kj9sqedlhlhguco7b.apps.googleusercontent.com&hl=en-US&from_login=1&as=-28d4c888dcf981e5
    

    2)

    http://localhost/umbraco-google-signin/?state=IJCInYRmuGkBWARsaQmfsMpe6OgZm7QBh7vd2mR6xG5ZXHvIyDUUCNrUWPdkznz1gKLY4MwBJnJmeNhnB6YmGIsIt8jm1Nk3vzatkKy3KBJaLteSx4gubpoY9hvb8R57DFVeBS6YmzP91XW-a4OCWyjedmvEWxPbj35b9wimEAG_KbNTizShTbmgV7YD-nk8_q6QNGYSxNvPejAxozZWFNd2LCwo5KukDcxtJVkK_RlhaIuaMoH5fOjMfCcWANTA&code=4/lJgnimGFcPWIepiLRZ5q1_P-1KSmm74hEeprNm_7eyk&authuser=0&session_state=cd38aee5341f55eac86eca06230d3e7c0261268a..0326&prompt=none
    

    3)

    http://localhost/umbraco/ExternalLinkLoginCallback/?error=access_denied
    

    No clue how to get on from here. It seems that its in the final stage when receiving the token?

  • Jesper Ordrup 1019 posts 1528 karma points MVP
    Feb 11, 2016 @ 12:31
    Jesper Ordrup
    0

    Oh btw - I just tested with Facebook authentication.

    • UmbracoCms.IdentityExtensions.Facebook installed via nuget

    Works perfect! But I much rather use Google :-)

  • Tony Cheetham 24 posts 134 karma points
    Feb 11, 2016 @ 12:45
    Tony Cheetham
    0

    This kind of error suggests to me that your Umbraco is not accepting the auth from Google, but I've seen it lie. It could be for a number or reasons, but I would check the claims being returned. Umbraco must have a "name" to create an account, and this is often labelled incorrectly. You can usually grab this by intercepting the SecurityTokenValidated notification event(I've included the openID version of this below, not sure how to access it for google auth). Check there is a claim with the label "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" and that it contains text that will create a valid login for Umbraco(i.e. no spaces, special characters). Then hook up to the autolinkup event, and check everything you can there. The code to activate it is this;

                var autoOptions = new ExternalSignInAutoLinkOptions(true, "writer")
            {
                OnAutoLinking = AutoLinkUp
            };
    

    Then you can create this;

            public void AutoLinkUp(BackOfficeIdentityUser curUser, ExternalLoginInfo loginDeets)
        {
            var userService = Umbraco.Core.ApplicationContext.Current.Services.UserService;
            var contentService = Umbraco.Core.ApplicationContext.Current.Services.ContentService;
    
    
        }
    

    So I'd debug it like this...

    If the Notification/security event fires, then it is returning and authing google, but the account creation is failing. Check the name, and other claims. If the autoLinkUp fires, then check that the account is being created and debug from there. If neither of these is firing, then your problem is a bad configuration, and I'd double check it, and then post a screenshot of the google config screen here for us to have a little poke.

    OpenID notification code;

                    Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    SecurityTokenValidated = (context) =>
                    {
                        ClaimsIdentity claimsId = context.AuthenticationTicket.Identity;
                        claimsId.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", claimsId.FindFirst("name").Value.ToString()));
    
                        return Task.FromResult(0);
                    }
                }
    

    HTH!!

  • Jesper Ordrup 1019 posts 1528 karma points MVP
    Feb 11, 2016 @ 16:00
    Jesper Ordrup
    0

    Thanks Tony,

    I just tried adding your code. Must say - I'm not sure what I'm doing. The code runs and the event is attached but what to do with the autoOptions object?

    And I just found this in the log:

    Umbraco.Core.Logging.OwinLogger - Event Id: 0, state: Authentication failed
    System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
      at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
      at Microsoft.Owin.Security.Google.GoogleOAuth2AuthenticationHandler. 
      <AuthenticateCoreAsync>d__0.MoveNext()
    

    /Jesper

  • Tony Cheetham 24 posts 134 karma points
    Feb 11, 2016 @ 16:28
    Tony Cheetham
    0

    Apologies Jesper, I was rushing to leave the office and had to omit some steps for brevity. The AutoOptions are part of the AuthenticationOptions for google, so basically the bit where you setup your client id, scopes, etc.. I am using openID, so I am not 100% sure of the code for google. But as well as the code I added above, you then add the AutoOptions to the SetExternalSignInAutoLinkOptions, this is the full code from my config section.

        public override void Configuration(IAppBuilder app)
        {
            ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
    
            base.Configuration(app);
    
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie
            });
    
            var adOptions = new OpenIdConnectAuthenticationOptions
            { 
                Authority = OpenIDConnectAuthority,
                ClientId = "myClientID",
                RedirectUri = RedirectUrl,
                ResponseType = "id_token",
                Scope = "openid profile roles email myClient.access",
                Caption = "LOGIN WITH YOUR ID",
                SignInAsAuthenticationType = Umbraco.Core.Constants.Security.BackOfficeExternalAuthenticationType,
    
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    SecurityTokenValidated = (context) =>
                    {
                        ClaimsIdentity claimsId = context.AuthenticationTicket.Identity;
                        claimsId.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", claimsId.FindFirst("name").Value.ToString()));
    
                        return Task.FromResult(0);
                    }
                }
            };
    
            var autoOptions = new ExternalSignInAutoLinkOptions(true, "MyPermissonLevel")
            {
                OnAutoLinking = AutoLinkUp
            };
            adOptions.SetExternalSignInAutoLinkOptions(autoOptions);
    
            adOptions.ForUmbracoBackOffice("btn-ftn", "fa-ftn");
    
            // Dirty hack to fix bug in Umbraco identity provider
            adOptions.AuthenticationType = OpenIDConnectAuthority;
    
            app.UseOpenIdConnectAuthentication(adOptions);
    
    
        }
    
  • Jesper Ordrup 1019 posts 1528 karma points MVP
    Feb 15, 2016 @ 14:07
    Jesper Ordrup
    1

    Hey Tony,

    Thanks for all your time. Dont apologies :)

    I've added it as you specified but it seems that the Google Authentication configuration does not initiate the event at all.

    I'm in over my head and I'll probably have to wait until it works "out of the box".

    But thanks for you time and effort.

    Jesper

  • Tony Cheetham 24 posts 134 karma points
    Feb 15, 2016 @ 14:36
    Tony Cheetham
    0

    No worries, good luck with it all! I spent a week tearing my hair out trying to dissect how it was working, and ended up using the Umbraco source to trace the events. Never again...

  • Jojo Galang 6 posts 76 karma points
    Mar 29, 2016 @ 21:38
    Jojo Galang
    0

    I got the same error... and I got past it, but now I have a different error message that I am trying to solve...

    By the way, the fix was, apparently, Google made a change that now requires your Google Developer Console to have the Google+ API to be enabled. That will fix the error we all are getting related to "?error=Access_denied".

    Now, I am using version 7.4.1 and am seeing "The requested provider (Umbraco.Google) has not been linked to to an account" as an error when attempting to login. Anyone here can point me to any documentation or article that can help me solve this?

    Thanks, Jojo

  • Jojo Galang 6 posts 76 karma points
    Mar 30, 2016 @ 20:25
  • Biagio Paruolo 1619 posts 1912 karma points c-trib
    Jan 19, 2017 @ 14:46
    Biagio Paruolo
    0

    Have you enabled Google Plus Api?

  • Biagio Paruolo 1619 posts 1912 karma points c-trib
    Jan 19, 2017 @ 14:46
    Biagio Paruolo
    1

    You have to enable the Google Plus API.

  • Shannon Deminick 1526 posts 5272 karma points MVP 3x
    Feb 02, 2017 @ 15:20
    Shannon Deminick
    0

    Exactly - this has to be enabled

    Click Google Plus button

    Enable the API

Please Sign in or register to post replies

Write your reply to:

Draft