14

I have set up my Google OAuth

enter image description here

And I have added the code into Startup.Auth.cs

 app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
    {
        // LRC
        ClientId = "xxxxxxxxx",
        ClientSecret = "xxxxx"
        //CallbackPath = new PathString("/signin-google")
    });

But after I chose a google account to log in, it redirected me to the login page again,

I checked the network via Chrome and found that the access was denied.

http://www.liferunningclub.com.au/Account/ExternalLoginCallback?error=access_denied

I cannot figure it out.

Update Now I did something else:

  1. I added an annotation ([RequireHttps]) on the Account Controller
  2. I enabled the SSL for my project.
  3. I updated the url and re-direct url in Google Console to https

Tried to log in with Google, after I selected my Google account, it returned the same access_denied.

It would be better if the response from Google could give more detailed information.

halfer
  • 19,824
  • 17
  • 99
  • 186
Franva
  • 6,565
  • 23
  • 79
  • 144

8 Answers8

26

I had the same problem using the latest ASP.Net MVC template with "Individual Accounts" selected.

The solution was to enable the Google+ API for my project in the Google Developer console.

I found my answer here (scroll down to "Changes to Google OAuth 2.0...").

M Falanga
  • 1,897
  • 17
  • 21
  • Thanks M, that's right. In my case, I also found that I required more information than I could. So after enabled Google+ API AND commented out some lines of code to reduce the required information, the program started to work. – Franva May 29 '15 at 01:47
  • also you must enable ssl on project properties and use https for your site otherwise you will see access_denied issues – Iman Feb 23 '18 at 14:02
  • 1
    Hi Franva, could you tell me how to solved the problem? I use https, set my url into authorized javascript origins, enable GoogleAPI+ but I get alway access_denied and I get 302 status code. – user2896152 Mar 07 '19 at 16:19
  • That link is now a dead link, wonder if there is more info there. – Chris Feb 07 '21 at 20:52
  • https://devblogs.microsoft.com/dotnet/changes-to-google-oauth-2-0-and-updates-in-google-middleware-for-3-0-0-rc-release/ – nonoandy Mar 31 '22 at 14:29
3

The same error happened to me for Facebook provider.

Turns out the solution was as simple as updating the nuget package to 3.1.

It turns out that Facebook did a "force upgrade" of their graph API from version 2.2 to 2.3 on 27th March 2017

For the record I'm using the following:

In Facebook I have the following settings configured for a test app:

enter image description here

enter image description here

In addition if you're using a sample template the error parameter returned isn't being consumed which can be misleading. You should add string error to ExternalLoginCallback

    [AllowAnonymous]
    public async Task<ActionResult> ExternalLoginCallback(string returnUrl, string error)
    {
        if (error != null)
        {
            return View("Error");
        }
Simon_Weaver
  • 140,023
  • 84
  • 646
  • 689
1

I had this problem as well. After I enabled the Google+ API the problem is not solved yet. Turns out I haven't set the 'Authorized JavaScript origins' in my google API console. So I set the authorized javascript origins, and the problem solved.

recnac
  • 3,744
  • 6
  • 24
  • 46
Satria Janaka
  • 463
  • 4
  • 15
1

I had the same issue. I had Google+ API active and set JavaScript providers. Turns out that my version of Microsoft.Owin 3.1 was too old. I've updated every single nugget which had Microsoft.Owin.(whatever) in it's name and it started working fine (version 4.1)

Hope it helps!

ZenekMetalGuru
  • 116
  • 2
  • 7
0

This is most likely because you have not enabled the Google + API in the developer console.

So when your account trys to get the details about the Google Account, it says access_denied.

Simply go to the developer console and enable the Google + API

Zapnologica
  • 22,170
  • 44
  • 158
  • 253
0

None of the above solution worked for me. Turns out In my case I was tweaking with Google OAuth Playground and I added https://developers.google.com/oauthplayground this url in Authorized Redirect Uris section of my Google Credentials for Client ID and Secrets.

When I removed it and retried, it worked fine.

PS: I had to reset the OAuth Playground settings that I had modified too.

EDIT

The other issue was, my code threw an Exception when the user was OnAthenticated EventHandler was triggered. Turns out a null reference which was resulting in access_denied status being returned. 

GoogleOAuth2AuthenticationOptions googleOptions = new GoogleOAuth2AuthenticationOptions()
            {
                ClientId = "xxxxx.apps.googleusercontent.com",
                ClientSecret = "XXXX",
                Provider = new GoogleOAuth2AuthenticationProvider()
                {
                    OnAuthenticated = (context) =>
                    {
                        try
                        {
                            TokenHelper tokenHelper = new TokenHelper();

                            // Any exception here will result in 'loginInfo == null' in AccountController.ExternalLoginCallback.
                            // Be sure to add exception handling here in case of production code.
                            context.Identity.AddClaim(new Claim(tokenHelper.AccessToken, context.AccessToken)); // From This line and onwards. tokenHelper's properties were null.

                            // For clarity, we don't check most values for null but RefreshToken is another kind of thing. It's usually
                            // not set unless we specially request it. Typically, you receive the refresh token only on the initial request,
                            // store it permanently and reuse it when you need to refresh the access token.
                            if (context.RefreshToken != null)
                            {
                                context.Identity.AddClaim(new Claim(tokenHelper.RefreshToken, context.RefreshToken));
                            }

                            // We want to use the e-mail account of the external identity (for which we doing OAuth). For that we save
                            // the external identity's e-mail address separately as it can be different from the main e-mail address
                            // of the current user. 
                            context.Identity.AddClaim(new Claim(tokenHelper.Email, context.Email));
                            context.Identity.AddClaim(new Claim(tokenHelper.Name, context.Name));

                            context.Identity.AddClaim(new Claim(tokenHelper.IssuedOn, DateTime.Now.ToString()));
                            context.Identity.AddClaim(new Claim(tokenHelper.ExpiresIn,
                                ((long)context.ExpiresIn.Value.TotalSeconds).ToString()));

                            return Task.FromResult(0);
                        }
                        catch (Exception ex)
                        {

                            throw;
                        }

                    },
                },
                AccessType = "offline",
                UserInformationEndpoint= "https://www.googleapis.com/oauth2/v2/userinfo"
            };
Jamshaid K.
  • 3,555
  • 1
  • 27
  • 42
0

Default Google authentication no longer works, you can add updated Owin.Security.Provider.Google package through NuGet or find it here

Tendizer
  • 1
  • 1
  • 1
-1

Try to use https:// instead of http:

Jose Andres Clavijo
  • 1
  • 1