OAuth2 via Google/Google+ from ASP.NET MVC 5

Question

I'm working on an MVC 5 app where I need to use oAuth2 from Google for authentication. There are quite a few tutorials out there (both typed and some video) that all show the same way of getting this setup but I simply cannot get them to work for me. So let me start from the beginning.

I started off using Rick Anderson's great blog post on how to get this setup. That blog post is a little bit dated so the steps are a little bit different when interacting with Google's site but aside from different navigation, all of the important information is in there and I was able to follow along. This led me to enabling the GooglePlus API and setting up the following Client ID to consume:

Fast forward to my code and I did the following things:

1. New MVC Application (Individual Accounts for Authentication)
2. Enabled HTTPS (using IISExpress for now but I trusted the certificate to keep browsers happy)
3. Configured my Startup.Auth.cs as such:

Startup.Auth.cs:

app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
    {
        ClientId = GoogleClientId,
        ClientSecret = GoogleClientSecret
    });

At this point, I was able to get the Google button to show up on the Login screen:

When I click it, it takes me to Google's authentication/authorization screen where I grant access for my application to access my Google account information.

Here I click "Allow" and, sadly, this is where things go wrong. But some things go right as well. At this point, if I look at my Connected Apps under my Google account, I do see now that my MVC application shows up. So Google's end of things seem good, for the most part. But when I inspect the requests, a red flag pops up:

In speaking with a few folks who are smarter than I am (thx Mr. Galloway!), it was suggested that I follow the advice of this blog post. So long story short, I made the following changes:

1. Configured my redirect URI for the Google API to be /signin-googleplus
2. Installed nuget package: Install-Package Owin.Security.GooglePlus
3. Modified my Startup.Auth.cs as such:

Startup.Auth.cs

app.UseGooglePlusAuthentication(new GooglePlusAuthenticationOptions
    {
        ClientId = GoogleClientId,
        ClientSecret = GoogleClientSecret
    });

And the result was the same:

In digging into this Access Denied error with Fiddler, I can tell that the response from the request to /signin-google is where the error=access_denied first comes up:

Digging into that 403, I see this response:

HTTP/1.1 403 Forbidden
Vary: X-Origin
Content-Type: application/json; charset=UTF-8
Date: Tue, 14 Jun 2016 23:36:15 GMT
Expires: Tue, 14 Jun 2016 23:36:15 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 443:quic
Alt-Svc: quic=":443"; ma=2592000; v="34,33,32,31,30,29,28,27,26,25"
Accept-Ranges: none
Vary: Origin,Accept-Encoding
Content-Length: 213

{
 "error": {
  "errors": [
   {
    "domain": "usageLimits",
    "reason": "userRateLimitExceeded",
    "message": "User Rate Limit Exceeded"
   }
  ],
  "code": 403,
  "message": "User Rate Limit Exceeded"
 }
}

I have also tried these additional things just in case:

• Multiple Google accounts (as a user, not owning the API account)
• Incognito/InPrivate mode to ensure caches are cleared
• Revoked application access to user accounts to try again

I really could use some help getting this redirect back from Google to work!

Answer 1

I started off using Rick Anderson's great blog post on how to get this setup.

It's working for me well (it's good solution in my opinion), and problem probably is in other place - read below.

In speaking with a few folks who are smarter than I am (thx Mr. Galloway!), it was suggested that I follow the advice of this blog post. So long story short, I made the following changes

Never use this, so can't confirm if it's working.

In digging into this Access Denied error with Fiddler,

User Rate Limit Exceeded

Looks like you exceed limit on your Google Account - please, read more about this here:

• Using OAuth 2.0 to Access Google APIs (especially Token expiration section)
• User Rate Limit Exceeded for Google Cloud Storage OAuth2 API