Hello Jan
I had this problem as well when first playing around with this stuff.

I tried it again on a clean solution and I believe it then worked for me, so try that as option first if you can.

But to verify my OWIN class I am using is UmbracoStandardOwinStartup that inherits from UmbracoDefaultOwinStartup

But apart from me trying it again in a fresh install I can't remember what I done differently, but am happy to try to help you out.

Just double check that you have the owinstartup class set properly in the web.config, and then breakpoint your OWIN setup and make sure it is actually firing when the website starts.

Testing the same and run in to exactly the same problem

• Umbraco 7.4 rc1 install via nuget
• UmbracoCms.IdentityExtensions installed via nuget
• UmbracoCms.IdentityExtensions.Google installed via nuget

Google app is setup as this:

Authorized javascript origins : http://localhost Redirect uri : http://localhost/umbraco-google-signin

I've added

app.ConfigureBackOfficeGoogleAuth([client id], [client secret]);

and changed web .config to point to UmbracoStandardOwinStartup

   <add key="owin:appStartup" value="UmbracoStandardOwinStartup" />

I've tried linking the logged in profile but it fails silently. Using Google Chrome inspect network i see some ?error=Access_denied

Ive tried loggin in from front but after putting in Google Credentials I'm redirected to

http://localhost/umbraco/?error=access_denied#/

Any advise?

/Jesper

So I tried adding a trailing / to the in the credentials config in the developer console

Redirect uri : http://localhost/umbraco-google-signin http://localhost/umbraco-google-signin/

Also tried adding it in the startup code:

  {
            ClientId = clientId,
            ClientSecret = clientSecret, 
            //In order to allow using different google providers on the front-end vs the back office,
            // these settings are very important to make them distinguished from one another.
            SignInAsAuthenticationType = Constants.Security.BackOfficeExternalAuthenticationType,
            //  By default this is '/signin-google', you will need to change that default value in your
            //  Google developer settings for your web-app in the "REDIRECT URIS" setting
            CallbackPath = new PathString("/umbraco-google-signin/")
        };

No effects...

My observations

It seems like the authorization goes well. Or almost. When I try to link my account, I successfully sign in. But when inspecting the network traffic I have these 3 entries:

1) Indicating that I signed in and redirect url seems right

https://accounts.google.com/o/oauth2/auth?scope=openid+profile+email&response_type=code&redirect_uri=http://localhost/umbraco-google-signin/&state=IJCInYRmuGkBWARsaQmfsMpe6OgZm7QBh7vd2mR6xG5ZXHvIyDUUCNrUWPdkznz1gKLY4MwBJnJmeNhnB6YmGIsIt8jm1Nk3vzatkKy3KBJaLteSx4gubpoY9hvb8R57DFVeBS6YmzP91XW-a4OCWyjedmvEWxPbj35b9wimEAG_KbNTizShTbmgV7YD-nk8_q6QNGYSxNvPejAxozWWFNd2LCwo5KukDcxtJVkK_RlhaIuaMoH5fOjMfCcWANTA&client_id=326418499831-ddprt7n58pvicc2kj9sqedlhlhguco7b.apps.googleusercontent.com&hl=en-US&from_login=1&as=-28d4c888dcf981e5

2)

http://localhost/umbraco-google-signin/?state=IJCInYRmuGkBWARsaQmfsMpe6OgZm7QBh7vd2mR6xG5ZXHvIyDUUCNrUWPdkznz1gKLY4MwBJnJmeNhnB6YmGIsIt8jm1Nk3vzatkKy3KBJaLteSx4gubpoY9hvb8R57DFVeBS6YmzP91XW-a4OCWyjedmvEWxPbj35b9wimEAG_KbNTizShTbmgV7YD-nk8_q6QNGYSxNvPejAxozZWFNd2LCwo5KukDcxtJVkK_RlhaIuaMoH5fOjMfCcWANTA&code=4/lJgnimGFcPWIepiLRZ5q1_P-1KSmm74hEeprNm_7eyk&authuser=0&session_state=cd38aee5341f55eac86eca06230d3e7c0261268a..0326&prompt=none

3)

http://localhost/umbraco/ExternalLinkLoginCallback/?error=access_denied

No clue how to get on from here. It seems that its in the final stage when receiving the token?

Oh btw - I just tested with Facebook authentication.

• UmbracoCms.IdentityExtensions.Facebook installed via nuget

Works perfect! But I much rather use Google :-)

This kind of error suggests to me that your Umbraco is not accepting the auth from Google, but I've seen it lie. It could be for a number or reasons, but I would check the claims being returned. Umbraco must have a "name" to create an account, and this is often labelled incorrectly. You can usually grab this by intercepting the SecurityTokenValidated notification event(I've included the openID version of this below, not sure how to access it for google auth). Check there is a claim with the label "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" and that it contains text that will create a valid login for Umbraco(i.e. no spaces, special characters). Then hook up to the autolinkup event, and check everything you can there. The code to activate it is this;

            var autoOptions = new ExternalSignInAutoLinkOptions(true, "writer")
        {
            OnAutoLinking = AutoLinkUp
        };

Then you can create this;

        public void AutoLinkUp(BackOfficeIdentityUser curUser, ExternalLoginInfo loginDeets)
    {
        var userService = Umbraco.Core.ApplicationContext.Current.Services.UserService;
        var contentService = Umbraco.Core.ApplicationContext.Current.Services.ContentService;


    }

So I'd debug it like this...

If the Notification/security event fires, then it is returning and authing google, but the account creation is failing. Check the name, and other claims. If the autoLinkUp fires, then check that the account is being created and debug from there. If neither of these is firing, then your problem is a bad configuration, and I'd double check it, and then post a screenshot of the google config screen here for us to have a little poke.

OpenID notification code;

                Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = (context) =>
                {
                    ClaimsIdentity claimsId = context.AuthenticationTicket.Identity;
                    claimsId.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", claimsId.FindFirst("name").Value.ToString()));

                    return Task.FromResult(0);
                }
            }

HTH!!

Thanks Tony,

I just tried adding your code. Must say - I'm not sure what I'm doing. The code runs and the event is attached but what to do with the autoOptions object?

And I just found this in the log:

Umbraco.Core.Logging.OwinLogger - Event Id: 0, state: Authentication failed
System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
  at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
  at Microsoft.Owin.Security.Google.GoogleOAuth2AuthenticationHandler. 
  <AuthenticateCoreAsync>d__0.MoveNext()

/Jesper

Apologies Jesper, I was rushing to leave the office and had to omit some steps for brevity. The AutoOptions are part of the AuthenticationOptions for google, so basically the bit where you setup your client id, scopes, etc.. I am using openID, so I am not 100% sure of the code for google. But as well as the code I added above, you then add the AutoOptions to the SetExternalSignInAutoLinkOptions, this is the full code from my config section.

    public override void Configuration(IAppBuilder app)
    {
        ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

        base.Configuration(app);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie
        });

        var adOptions = new OpenIdConnectAuthenticationOptions
        { 
            Authority = OpenIDConnectAuthority,
            ClientId = "myClientID",
            RedirectUri = RedirectUrl,
            ResponseType = "id_token",
            Scope = "openid profile roles email myClient.access",
            Caption = "LOGIN WITH YOUR ID",
            SignInAsAuthenticationType = Umbraco.Core.Constants.Security.BackOfficeExternalAuthenticationType,

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = (context) =>
                {
                    ClaimsIdentity claimsId = context.AuthenticationTicket.Identity;
                    claimsId.AddClaim(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", claimsId.FindFirst("name").Value.ToString()));

                    return Task.FromResult(0);
                }
            }
        };

        var autoOptions = new ExternalSignInAutoLinkOptions(true, "MyPermissonLevel")
        {
            OnAutoLinking = AutoLinkUp
        };
        adOptions.SetExternalSignInAutoLinkOptions(autoOptions);

        adOptions.ForUmbracoBackOffice("btn-ftn", "fa-ftn");

        // Dirty hack to fix bug in Umbraco identity provider
        adOptions.AuthenticationType = OpenIDConnectAuthority;

        app.UseOpenIdConnectAuthentication(adOptions);


    }

No worries, good luck with it all! I spent a week tearing my hair out trying to dissect how it was working, and ended up using the Umbraco source to trace the events. Never again...

I got the same error... and I got past it, but now I have a different error message that I am trying to solve...

By the way, the fix was, apparently, Google made a change that now requires your Google Developer Console to have the Google+ API to be enabled. That will fix the error we all are getting related to "?error=Access_denied".

Now, I am using version 7.4.1 and am seeing "The requested provider (Umbraco.Google) has not been linked to to an account" as an error when attempting to login. Anyone here can point me to any documentation or article that can help me solve this?

Thanks, Jojo

Have you enabled Google Plus Api?

You have to enable the Google Plus API.

Exactly - this has to be enabled

is working on a reply...