Giters

mageplaza / magento-2-social-login

Magento 2 Social Login extension is designed for quick login to your Magento 2 store without procesing complex register steps

Home Page:https://www.mageplaza.com/magento-2-social-login-extension/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Google login - invalid scope

lcsbaroni opened this issue · comments

commented

Hi,

When I try login with google, this message is showed:

Erro: invalid_scope

This app hasn't been verified to access: {invalid = [https://www.googleapis.com/auth/contacts]} Please contact the developer for assistance. Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again. If not, contact the developer for help.

Regards
Luís Baroni

commented

@souvik-dutta thanks for great contribution

commented

I sent the request to google to review, talking how my app will work and that I need access to scope:
https://www.googleapis.com/auth/contacts

But they answer this to me:
"Based on the information you provided, you have access to the scopes that you are planning to use"

commented

i'm based in Sri Lanka My Country Code is missing on their form what i have to do to fix this issue ?

commented

Hi guys,

@lcsbaroni The problem you are having is in your app, you can see the link in the message links to your own app.
You can try to create a new app, follow our instruction here:
https://docs.mageplaza.com/social-login-m2/how-to-configure-google-api.html

@joeljerushan I'm not sure what you want, could you tell us more about your issue? Thank you.

commented

Same issue here. Submitted the scopes and got email saying it already has permission but still get the warning.
What scope is needed to be approved exactly for login?
Submitted these two:

https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
Says there should be no warning. Any help would be great

commented

I also have same issue. What scopes do I need to request? Can developers confirm what scopes are needed please.

commented

I looked in code, it looks like this scope is issue:

https://www.googleapis.com/auth/plus.profiles.read

I have requested it, will see after its added if it works

commented

I made a video about this issue. Please take a look.
https://www.screencast.com/t/gUqGMQhnEm

If you see any issue in my video, please let me know. If you did follow the video and the result is not the same, please let me know in detailed, how to recreate the issue.

commented

It does not work. The basic info that is normally required to use google login dont need approval. The app seems to be requesting info that it should not.
@gixid192 the process in video you have works for you but does not work for us. Tried different emails, it did not work. I suppose its because you are using your mazeplaza.com email id and i guess you have purchased google suite or something which might be the key.

@gixid192 Jimmy, to recreate issue - I would suggest you try creating a brand new gmail account and try this same process you showed in the video. This should tell whether it works or not. There is no reason for it to work when you are trying and give warning when we try

commented

@s00071609 I tried again with my other account. Things still went fine.
https://www.screencast.com/t/seh3hhbUHp

Please create a new video from your side so that I can follow you step by step.
Thank you.

commented

I found issue I think. Mageplaza requests m8/feed which is permission to read and write contacts. It seems after login it downloads every contact. I asked google to approve this and they refused, they want an explanation why I need this scope.

commented

@gixid192 try it with a new email account that you haven't previosly used to activate the app. These changes came in end of july and any used before that seem to work without requiring to apply for the extra permission.

The issue is that your module harvests contacts and thats no longer allowed without manual approval at googles end. It is the m8/feed permission causing issue.

commented

The thing is you need to enable the API in your google account before letting app does anything.
As I said earlier, I tried with a new account, not a brand new but it doesn't belong to Mageplaza and doesn't have any previous API activities.
I really need one of you make a video to show steps that I can follow to see where the issue happens.

commented

Quite apart from that why is the module scraping users contacts? This strikes me as the most basic breaches of trust. What does it even do with them?

commented

@lingwooc True. Thats the question one should be asking. If ask for such permission if its not needed. If its needed, then mageplaza may be able to explain why

Have disabled the module because i could not get it to work with many emails i tried.

commented

There's no such thing as "Scraping users". Please check again my response here

The library we use is HybridOath. The code is here at this file: https://github.com/hybridauth/hybridauth/blob/master/src/Provider/Google.php

You can see at line 198 it requests contact permission.

As I explained earlier, there will be no way the app can get your contacts as long as you don't enable Contact API.

If you guys get asked from Google Preview, please do the video so that I can replicate the issue.

commented

I wonder if it' related to this. https://github.com/hybridauth/hybridauth/blob/970fe5155da56081cec7f29e7190de9284e5e6b5/docs/developer-ref-user-contacts.md The hybridauth module is a dependency of this one. It could just be a symptom of copy/paste syndrome. That said the code doesn't really look like https://github.com/hybridauth/hybridauth/blob/970fe5155da56081cec7f29e7190de9284e5e6b5/src/Provider/Google.php I'd still never use this module without purging the methods and permissions. Id' even argue birthday is going to far.

commented

@gixid192 You've deliberately implemented code which scrapes users contacts. In what way does this not exist? I can paste it here if you like. Explicitly enabled or otherwise it's got no place in the code base for a login module.

commented

@lingwooc I don't quite understand what you said.

But as I explained above, the code is from the lib itself. If what you mean that we did implement "Grab users" function, please let me know where to find that code.

Thank you.

commented

@lingwooc I'm not sure what are you trying to say.

Please review my answers above:

  • All the links you gave are from the HybridOath library, we use it, we don't own it.
  • As I said above, even the code is there, if the Contact API isn't enabled, you can't use the GrabContact function

We don't implement any "Scraping Contacts" code so please check again.

commented

@gixid192 Those links are from your github repos (the other is a dependency). One is even from this repo. They are all controlled by you.

commented

@lingwooc Please bear with me a bit. Allow me to explain again.

  • As I said before, we use the lib. Just like you are using Chrome, but you don't own it.
  • As we use it, we must have it in our code, like Chrome must be installed in your environment.
  • A library can be used for different purposes. Company A has an affiliate program, they may use "GrabContact" function to send Affiliate Invitation.
    We, on the other hand, don't use it (it still there and we don't touch it). We have no code that invoke/call that "GrabContact" function. (you download your Chrome, it is in your computer but you never set it up, never open it)

You or others may get Review request from Google, we are really sorry for that but I already provided my own steps in my video, I don't see it, as the developer, we need to reproduce the issue so that we can fix it. Without knowing what it is, it's really hard to find the cures.

Hope that we will be on the same page from now.

commented

IF google is not going to approve the permission to grab user contacts, how do you think the extension can be used. The point is why ask if its not needed. When asking google permission, what explaination would you provide? Would you say, we just want to grab the contacts of the users who use google login but we dont use it? I guarantee, google will not approve it because it sounds absurd.

I suggest you create a new gmail account and try to use it in a different website - not mageplaza. Many people are having same issue and there is no reason it would work perfectly for you only

commented

image

I have had confirmation direct from google this is because I am asking for permissions I haven't been approved on. I watched your video it is just normal setup of google app.

This is method using m8 feed:

function getUserContacts() {
	// refresh tokens if needed
	$this->refreshToken();
	
	$contacts = array();
	if (!isset($this->config['contacts_param'])) {
		$this->config['contacts_param'] = array("max-results" => 500);
	}
	
	// Google Gmail and Android contacts
	if (strpos($this->scope, '/m8/feeds/') !== false) {
		
		$response = $this->api->api("https://www.google.com/m8/feeds/contacts/default/full?"
				. http_build_query(array_merge(array('alt' => 'json'), $this->config['contacts_param'])));
		
		if (!$response) {
			return array();
		}
		
		if (isset($response->feed->entry)) {
			foreach ($response->feed->entry as $idx => $entry) {
				$uc = new Hybrid_User_Contact();
				$uc->email = isset($entry->{'gd$email'}[0]->address) ? (string) $entry->{'gd$email'}[0]->address : '';
				$uc->displayName = isset($entry->title->{'$t'}) ? (string) $entry->title->{'$t'} : '';
				$uc->identifier = ($uc->email != '') ? $uc->email : '';
				$uc->description = '';
				if (property_exists($entry, 'link')) {
					/**
					 * sign links with access_token
					 */
					if (is_array($entry->link)) {
						foreach ($entry->link as $l) {
							if (property_exists($l, 'gd$etag') && $l->type == "image/*") {
								$uc->photoURL = $this->addUrlParam($l->href, array('access_token' => $this->api->access_token));
							} else if ($l->type == "self") {
								$uc->profileURL = $this->addUrlParam($l->href, array('access_token' => $this->api->access_token));
							}
						}
					}
				} else {
					$uc->profileURL = '';
				}
				if (property_exists($response, 'website')) {
					if (is_array($response->website)) {
						foreach ($response->website as $w) {
							if ($w->primary == true)
								$uc->webSiteURL = $w->value;
						}
					} else {
						$uc->webSiteURL = $response->website->value;
					}
				} else {
					$uc->webSiteURL = '';
				}
				
				$contacts[] = $uc;
			}
		}
	}
	
	// Google social contacts
	if (strpos($this->scope, '/auth/plus.login') !== false) {
		
		$response = $this->api->api("https://www.googleapis.com/plus/v1/people/me/people/visible?"
				. http_build_query($this->config['contacts_param']));
		
		if (!$response) {
			return array();
		}
		
		foreach ($response->items as $idx => $item) {
			$uc = new Hybrid_User_Contact();
			$uc->email = (property_exists($item, 'email')) ? $item->email : '';
			$uc->displayName = (property_exists($item, 'displayName')) ? $item->displayName : '';
			$uc->identifier = (property_exists($item, 'id')) ? $item->id : '';
			
			$uc->description = (property_exists($item, 'objectType')) ? $item->objectType : '';
			$uc->photoURL = (property_exists($item, 'image')) ? ((property_exists($item->image, 'url')) ? $item->image->url : '') : '';
			$uc->profileURL = (property_exists($item, 'url')) ? $item->url : '';
			$uc->webSiteURL = '';
			
			$contacts[] = $uc;
		}
	}
	
	return $contacts;
}

You can see you are requesting this permission here on the confirmation screen if you click past all the warnings.
image

image

You must get this permission manually approved by google. They will not approve it because a login module shouldn't be downloading everyones contacts. You specify the m8 scope so this approval is needed.

To fix this you need to remove this scope from module. Just because for some reason you are able to get this working without approval doesnt change the fact that anyone else now setting up this module will need to be approved for the m8 scope.

You can see I have setup the app correctly as I am able to dismiss warning, type continue then login correctly. This is purely Google giving a warning because they have not granted permissions that the module is requesting. You have to stop requesting this permission.

Also in your video I can see you are doing it on localhost. Try doing it on a live domain that hasn't been previously approved and im guessing you will see issue.

commented

@GuerrillaCoder is correct. Mageplaza should not deny the fact that this extension requests permission it doesn't need. Rather than arguing about how it works for some, they should remove this permission code. Google wont approve it because there is no good reason they should because this is a login extension which has nothing to do with user contacts - breach of user privacy

commented

@GuerrillaCoder Thank you for your detailed report! Now I know where and when it happens. We will check again this issue.
@s00071609 We do not deny anything, you can read again all of my messages, the only thing I asked is how to reproduce the issue.

commented

@gixid192 I am also having issue with facebook. They will not approve the "user_about_me" permission.

commented

@GuerrillaCoder Thank so much for your report. We are checking again all the lib.
When the new version come out, I will post a comment here.

commented

Hi all,
We just upgraded the extension, please get the latest version to fix this issue.

Release note:

- Improved code style and performance
- Fix bugs:
    + Google login - invalid scope #42 #64
    + Create two same mapping record #74
    + Error when creating multiple accounts in a short time
    + Change email send password to customer when creating account via social
    + Cannot log in if store use https://
    + Cannot log in if store use Vanish cache #78
commented

Hi All

I have implemented Mageplaza social auth login. I got approval from google team, but when i tried to login using google getting below issue please can any one help?
image

Ooophs, we got an error: User profile request failed! Google returned an invalid response:stdClass::__set_state(array( 'error' => stdClass::__set_state(array( 'errors' => array ( 0 => stdClass::__set_state(array( 'domain' => 'usageLimits', 'reason' => 'accessNotConfigured', 'message' => 'Access Not Configured. Google+ API issue