3

I'm working on an MVC 5 app where I need to use oAuth2 from Google for authentication. There are quite a few tutorials out there (both typed and some video) that all show the same way of getting this setup but I simply cannot get them to work for me. So let me start from the beginning.

I started off using Rick Anderson's great blog post on how to get this setup. That blog post is a little bit dated so the steps are a little bit different when interacting with Google's site but aside from different navigation, all of the important information is in there and I was able to follow along. This led me to enabling the GooglePlus API and setting up the following Client ID to consume: Google Client ID Settings

Fast forward to my code and I did the following things:

  1. New MVC Application (Individual Accounts for Authentication)
  2. Enabled HTTPS (using IISExpress for now but I trusted the certificate to keep browsers happy)
  3. Configured my Startup.Auth.cs as such:

Startup.Auth.cs:

app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
    {
        ClientId = GoogleClientId,
        ClientSecret = GoogleClientSecret
    });

At this point, I was able to get the Google button to show up on the Login screen:

Google button on the Login Screen

When I click it, it takes me to Google's authentication/authorization screen where I grant access for my application to access my Google account information.

enter image description here

Here I click "Allow" and, sadly, this is where things go wrong. But some things go right as well. At this point, if I look at my Connected Apps under my Google account, I do see now that my MVC application shows up. So Google's end of things seem good, for the most part. But when I inspect the requests, a red flag pops up:

access denied error

In speaking with a few folks who are smarter than I am (thx Mr. Galloway!), it was suggested that I follow the advice of this blog post. So long story short, I made the following changes:

  1. Configured my redirect URI for the Google API to be /signin-googleplus
  2. Installed nuget package: Install-Package Owin.Security.GooglePlus
  3. Modified my Startup.Auth.cs as such:

Startup.Auth.cs

app.UseGooglePlusAuthentication(new GooglePlusAuthenticationOptions
    {
        ClientId = GoogleClientId,
        ClientSecret = GoogleClientSecret
    });

And the result was the same: access denied error again

In digging into this Access Denied error with Fiddler, I can tell that the response from the request to /signin-google is where the error=access_denied first comes up:

response redirecting to an access denied error

Digging into that 403, I see this response:

HTTP/1.1 403 Forbidden
Vary: X-Origin
Content-Type: application/json; charset=UTF-8
Date: Tue, 14 Jun 2016 23:36:15 GMT
Expires: Tue, 14 Jun 2016 23:36:15 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 443:quic
Alt-Svc: quic=":443"; ma=2592000; v="34,33,32,31,30,29,28,27,26,25"
Accept-Ranges: none
Vary: Origin,Accept-Encoding
Content-Length: 213

{
 "error": {
  "errors": [
   {
    "domain": "usageLimits",
    "reason": "userRateLimitExceeded",
    "message": "User Rate Limit Exceeded"
   }
  ],
  "code": 403,
  "message": "User Rate Limit Exceeded"
 }
}

I have also tried these additional things just in case:

  • Multiple Google accounts (as a user, not owning the API account)
  • Incognito/InPrivate mode to ensure caches are cleared
  • Revoked application access to user accounts to try again

I really could use some help getting this redirect back from Google to work!

Improve this question
5
  • First: Did you turn on OAuth2 API at Google Developers Console ? It's off by default. Commented Jun 14, 2016 at 23:44
  • @LukaszMakowej Yes I did. I edited my question a couple minutes ago clarifying this. Commented Jun 14, 2016 at 23:46
  • 1
    Second: Paste here full call-back URL from browser (after calling Google), please. There can be information about error - I'm not sure if fiddler display all of them. Commented Jun 14, 2016 at 23:47
  • @LukaszMakowej More Fiddler info was added. I think this digs into the heart of the problem but I don't know what the deal is, still. :-/ Commented Jun 14, 2016 at 23:52
  • user rate limit exceeded you are going to fast slow your code down. Max 10 requests a second I think. Commented Jun 15, 2016 at 8:59

1 Answer 1

Reset to default
3

I started off using Rick Anderson's great blog post on how to get this setup.

It's working for me well (it's good solution in my opinion), and problem probably is in other place - read below.


In speaking with a few folks who are smarter than I am (thx Mr. Galloway!), it was suggested that I follow the advice of this blog post. So long story short, I made the following changes

Never use this, so can't confirm if it's working.


In digging into this Access Denied error with Fiddler,

User Rate Limit Exceeded

Looks like you exceed limit on your Google Account - please, read more about this here:

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

So I have gone to the Google API site and set my limits to max, and it works. It was set to 25 logins per 100 seconds and I changed it to 500 logins per 100 seconds. That said, there was absolutely no way I was trying 25 logins within 100 seconds. I probably only tried 50 logins total over the course of a few hours (with no periods of hammering on the login button). This was all manual testing, no automation, and it was just me & nobody else. It doesn't make much sense to me why/how I was hitting this limit from the very beginning.
Yes, but limit is not to login attempt, it's to token request (get/refresh), so usually one login attempt generate one token request, but can generate few requests depends om circumstances. I'm not sure how MVC OAuth middleware works, so can't tell more. Maybe it's issue with middleware or maybe it's Google not reset your limit automatically.
Okay, so apparently I misunderstood what was being throttled here. That said, the Fiddler trace only shows 3 hits to Google servers (3 different endpoints which is exactly what a sequence diagram in one of your links above suggests should happen) so I can't imagine the middleware (Owin) is that poorly off. I guess I need to dig deeper to figure out these quotas. Thanks for the help!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.