Cannot get the email using OAuth2
-
wrote on 25 Sept 2024, 15:20 last edited by
I have a Qt desktop application with a "Sign in with Google"button.
I set up a OAuth auth process with the aim of getting the token and thus the user email.My problem is the scope.
If I set it in this way:m_oauth->setScope("email");or
in this way:m_oauth->setScope("https://www.googleapis.com/auth/userinfo.email");I don't get the token and the server reply is this:
qt.networkauth.oauth2: Token request failed: "Error transferring https://oauth2.googleapis.com/token - server replied: "If I set it in this way it works
m_oauth->setScope("email https://www.googleapis.com/auth/drive.readonly");I can get the token and then I use it to retrieve the user email (I had to enable the Google drive API in library for this).
I cannot understand the difference and why I have to use the drive api. For the first case I enabled People API in the console, I also looked for an api called Google OAuth2 in the library list but I could not find it.
Can I have some help in understanding the problem? -
Hi,
Did you set the scope in your Google OAuth application ?
-
wrote on 25 Sept 2024, 18:51 last edited by
Sure I did. As I wrote in the post, I have to write the scope in this way to get the email:
m_oauth->setScope("email https://www.googleapis.com/auth/drive.readonly");This has no sense because I don't need to interact with google drive at all but if I don't add the scope in that way, it doesn't work.
This is my minimal working code:
m_oauth = new QOAuth2AuthorizationCodeFlow(this); m_oauth->setScope("email profile https://www.googleapis.com/auth/drive.readonly"); connect(m_oauth, &QOAuth2AuthorizationCodeFlow::authorizeWithBrowser, [=](QUrl url) { QUrlQuery query(url); query.addQueryItem("prompt", "consent"); // Param required to get data everytime query.addQueryItem("access_type", "offline"); // Needed for Refresh Token (as AccessToken expires shortly) url.setQuery(query); QDesktopServices::openUrl(url); }); m_oauth->setAuthorizationUrl(QUrl("https://accounts.google.com/o/oauth2/auth")); m_oauth->setAccessTokenUrl(QUrl("https://oauth2.googleapis.com/token")); m_oauth->setClientIdentifier("CLIENT_ID"); m_oauth->setClientIdentifierSharedKey("CLIENT_SECRET"); auto replyHandler = new QOAuthHttpServerReplyHandler(5476, this); m_oauth->setReplyHandler(replyHandler); connect(m_oauth, &QOAuth2AuthorizationCodeFlow::granted, [=]() { qDebug() << "Access Granted!"; QString accessToken = m_oauth->token(); fetchGoogleUserProfile(); }); -
wrote on 25 Sept 2024, 18:58 last edited by
This is no longer Qt or even C++ related - you should consult Google (I wish you luck though).
There is something unclear to me with the way your project is set up on the Google side - emails, primary emails in this case I think, come from
https://www.googleapis.com/auth/admin.directory.user.readonlyscope which in turn comes from Admin SDK Api. But in order to get that level of access one needs to be admin (or have a friendly one at hand) of Google Workspace domain/org. Coming for primaries using Drive SDK is... well, it works but that's not the way. -
wrote on 25 Sept 2024, 19:12 last edited by franco.amato
@artwaw so what should I do?
What I need in my project is only get the email associated to the account -
wrote on 25 Sept 2024, 19:37 last edited by
If it works with the scope you have...
But the catch is, it only will list users having Drive enabled. If you have an account with access to Drive application disabled, they will obviously not show.
If you're the admin of the GWorkspace:
You need, in Google Developer Console, to open the project, enable Admin SDK Api access for the project. Scope you have above - it is readonly but if all you need to is read that should be enough. Make sure your OAuth settings are valid after the changes, Admin SDK is not something you'd like to give access to anyone random ;)
If you're not the admin - find someone who set this up for you, ask for the API to be enabled. -
wrote on 25 Sept 2024, 20:05 last edited by franco.amato
After enabling the Admin SDK, any user that have a google account can log to the application?
I have a Qt app where users should login, I am adding the feature to log in through google, so I need that any user having a google accound can log to the app, not only the Google Workspace administrators, or maybe am i wrong? -
After enabling the Admin SDK, any user that have a google account can log to the application?
I have a Qt app where users should login, I am adding the feature to log in through google, so I need that any user having a google accound can log to the app, not only the Google Workspace administrators, or maybe am i wrong?wrote on 26 Sept 2024, 07:56 last edited by@franco-amato we are drifting further and further away from Qt ;)
You are confusing functionalities.
Enabling admin sdk allowed your application to successfully verify existence (or lack of thereof) of any primary email against your Google Workspace user directory.
What action you take after the user is (or is not) verified is absolutely separate workflow - you have the information that user does or does not exist; you can obtain further information about their security groups membership, custom data and whatnot. You can allow them into your application based on that or not.
In real life solutions I implemented we controlled access in general and access level in particular based on the security groups membership with additional parameters supplied through custom scheme data in the account as our tools were not designed for the whole domain to use. Your use case might vary, of course.
What I am trying to convey here is that only you know the answer to your question - you can allow them, you can forbid, you have all the data once user attempts authentication. Just please, make it all sensible with regards to account security (especially credentials used to validate your program against Google API).
1/8