"policy_enforced" error when exchange oauth2 token for google plus

Question

Our app used to work fine until last Tue. We kept getting "policy_enforced" error while exchange oauth2 token for google plus. The response from google is:

Google.Apis.Auth.OAuth2.Responses.TokenResponseException: 
Error:"policy_enforced", 
Description:"Access denied by a security policy established by the Google Apps administrator of your organization. Please contact your administrator for further assistance.", 
Uri:""

We're using google-api-dotnet-client and the code is straight forward enough.

var flow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
    DataStore = new CustomGoogleDataStore(),
    ClientSecrets = new global::Google.Apis.Auth.OAuth2.ClientSecrets { ClientId = client.ID, ClientSecret = client.Secret },
    Scopes = scopes.Split(' '),
});
var token = flow.ExchangeCodeForTokenAsync(guid, code, redirectUri, CancellationToken.None).Result;

The scopes are:

"https://www.googleapis.com/auth/plus.login",
"https://www.googleapis.com/auth/plus.profile.emails.read",
"https://www.googleapis.com/auth/plus.me",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/userinfo.email",
"https://mail.google.com/"

This issue happens randomly. Util now I cannot find a way to 100% reproduce it.

Please let me know what this issue is and any suggestion is appreciated.

Answer 1

I faced the same problem recently. After contacting Google team we found this problem occurred because of mismatch between the authorized scopes and what we are requesting at login time. We used latest Authorization scopes profile and email while user login. But in GAM API console Google hardcoded the deprecated scopes
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/userinfo.email

After reverting the latest Authorization scopes to deprecated scopes login works fine.