Google authentication from web api: access_denied error

Question

I am trying to implement OAuth authentication to WebApi, i have created controller (directly from example) with method:

    [OverrideAuthentication]
    [HostAuthentication(DefaultAuthenticationTypes.ExternalCookie)]
    [AllowAnonymous]
    [Route("ExternalLogin", Name = "ExternalLogin")]
    public IHttpActionResult GetExternalLogin(string provider, string error = null)
    {
        string redirectUri = string.Empty;

        if (error != null)
        {
            // However google api returns 'access_denied' as error.
            return BadRequest(Uri.EscapeDataString(error));
        }

        if (!User.Identity.IsAuthenticated)
        {
            // This is runned on first execution.
            return new ChallengeResult(provider, this);
        }

        // Here we should continue with google api callback.
        ... Rest doesnt matter here.

ChallengeResult:

public class ChallengeResult : IHttpActionResult
{
    public string LoginProvider { get; set; }
    public HttpRequestMessage Request { get; set; }

    public ChallengeResult(string loginProvider, ApiController controller)
    {
        LoginProvider = loginProvider;
        Request = controller.Request;
    }

    public Task<HttpResponseMessage> ExecuteAsync(CancellationToken cancellationToken)
    {
        Request.GetOwinContext().Authentication.Challenge(LoginProvider);

        var response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
        response.RequestMessage = Request;
        return Task.FromResult(response);
    }
}

GetExternalLogin method is called twice, first is from me, after that api send ChallengeResult to google. I am redirected to google site and asked questions for valid scope (can i access. eg to email, profile information and so on), i press yes yes everything is okay for me. However after that google callback returns 'access_denied' error string to this method.

Any idea what may be wrong? Call i used was:

http://localhost:8080/api/Account/ExternalLogin?provider=Google&response_type=token&client_id=49235566333-78t8252p46lo75j5e52vda3o1t8fskgc.apps.googleusercontent.com&redirect_uri=http://localhost:8080

Client_id is replaced with dummy account.

redirect_uri is defined correctly to google console, error is different if its is incorrect.

Tried: Listing Circles with Google+ for Domains API fails in access_denied but id:s are identical.

Edit: After hours of debugging have figured out that problem between my solution and example is Microsoft.Owing.Security.Google package. In example version used is 2.1.0 and if i update it to 3.0.0 this problem appear.

No idea of root reason yet through.

Answer 1

I had this issue as well. To resolve the issue, try modifying your Google app to use the Google + API. I was using only the "Identity Toolkit API" before. According to the article that Pranav pointed out, when you upgrade to Google Middleware 3.0.0(Microsoft.Owin.Security.Google) you need to use the Google + API.

Answer 2

Have you looked at this post and change the callback settings as well? http://blogs.msdn.com/b/webdev/archive/2014/07/02/changes-to-google-oauth-2-0-and-updates-in-google-middleware-for-3-0-0-rc-release.aspx