Example of an OAuth Homepage for Google - flutter

I have created a flutter application in both iOS and Android that uses OAuth2. In order to authenticate the the app. While I can sign in successfully on iOS, Android provides error the following error:
E/flutter ( 6309): [ERROR:flutter/lib/ui/ui_dart_state.cc(157)] Unhandled Exception: PlatformException(sign_in_failed, com.google.android.gms.common.api.ApiException: 10: , null)
This is almost certainly because of a configuration issue in my OAuth verification request. Their rejection (see below) describes a homepage they require:
Dear Developer,
Thank you for submitting an OAuth App Verification request.
Unfortunately, we cannot proceed further with the verification process
until the requested things are provided.
As we discussed in our previous communication, to proceed with the
verification process for your project what-happend-here you will need
to provide a homepage that accurately represents your app’s identity
to Google users.
Every OAuth2 project requires a homepage. To ensure users’
understanding of your app’s purpose, your homepage should:
Be a verified domain under your ownership
Be accurate, inclusive, and easily accessible to all users
Link to an externally accessible domain that describes the necessary content, context, or connection to the app you are submitting
Explain with transparency the purpose for which your application requests user data
etc.
However, despite the description, I've no feel of what it should be like. Is there an example of such a page that I can use as a model?
Thanks for any help.

I've been back and forth with google over this issue. I can't give a simple answer, but I can summarize the items I've changed in order to meet compliance.
For context, I'm just using oauth on my personal webpage to identify users. I'm not selling an app. I'm not using restricted scopes. I'm not touching any user data.
This should be the simplest case, yet it was difficult to get approval. Each rejection reply is in the style of a form letter. I conclude that an AI has be trained against a set of compliant pages, and it "feels" mine isn't compliant, i.e. it's not able to point to a specific violation like a human or a rule's based system would. For this reason, I advise against spending time in your email replies. It doesn't seem that anyone reads them, just change your content and reply to get the AI to look again.
In the google console you must provide:
a homepage url
a privacy policy url
an uploaded icon image file
If you're using oauth for a website, don't confuse the oauth console "homepage url" with the base url of your website. Google wants a "homepage" that says "what your app is".
The content served at the homepage must have a [link rel="shortcut icon"] whose href points to the identical bytes of the icon you uploaded in the oauth console. If the bytes differ because you're using a scaled or differently styled image, you'll be rejected.
The content served at the homepage must have a privacy policy link where the href is identical to the characters entered at the console. If they're the same page, but differ by an anchor for example, you'll be rejected.
Also watch for caching. I changed the contents of my [link rel="shortcut icon"/] and got a reply that seemed to accept the icon but complain about another issue. Then when I fixed the other issue they rejected me for the icon again. I think since I changed the uploaded icon but didn't change it's name that they later saw a cached icon. I changed just the url (thus invalidating their cache) and the next reply didn't complain about the icon.
If you're not using restricted scopes you shouldn't need the limited use disclosure, but I got a complaint about that so I added it.
Here's what I'm using for both the homepage and the privacy policy:
https://holtstrom.com/michael/about/
Here's how that looked at the time of this posting when it was finally approved.
You'll see that I have all of the google requirements rendered in underline followed by the text that satisfies the requirement.
In case it helps, here's the replies I received from Google:

Google OAuth Consent Screen Verification:
#Michael Holtstrom's answer works perfectly, And I got my app approved in just the 2nd attempt.
But, since there is no information available anywhere on internet regarding this, that's why
I am posting my answer with all the screenshots, only to support #Michael Holtstrom's answer, so that you can move ahead with more confidence.
Because, I was really worried for 3-4 days whether my app will get approved or not. Because this was the last part left in my project.
I was also using Google OAuth only to get email, name and profile picture.
My app could have got approved in the first attempt only, but the first time I submited homepage had text selection disabled(Because I built it using Flutter Web, on which text selection is disbaled by default).
So, I think the Google's AI was unable to read the text on homepage, and thus asked me to update the homepage.
Next time, I built using wordpress, and then my app got approved.
(And by the way, I'm using chrome extension dark reader, that's why all the screenshot has dark mode enabled.)
Youtube Video Url:
https://youtu.be/lzq9WjCXT6c
Consent screen form on GCP Console
Google OAuth Homepage
https://www.madhavkumar.in/about/
Privacy Policy
https://www.madhavkumar.in/privacy-policy/
Email thread with Google Trust Team

Related

facebook app not working on mobiles

I have a Facebook app (canvas app), let's say https://apps.facebook.com/test, that redirects and works as expected on the desktop (on all browsers that I have tested).
On mobile phones (both from the FB app and the browser) the path gets redirected to https://m.facebook.com/apps/test/?ref=web_canvas, which gives a "This page cannot be found" error. Why?
This has been reported as a bug to Facebook and Facebook has confirmed it as a bug. They have not provided a date on when the fix will be ready.
You can follow the status of the bug here:
https://developers.facebook.com/bugs/1051463851558493/
Update: Facebook have (since the information struck-out below) completely removed support for this. The thread about this is here:
https://developers.facebook.com/bugs/1051463851558493/
The top-level information is:
We have now deprecated Mobile Canvas URL. This means that you will no
longer be able to direct to a website/app directly within the Facebook
mobile web based upon the external destination URL you have specified
in the 'Mobile Site URL' field for the app on developers.facebook.com.
Furthermore, we have removed the 'Mobile Site URL' field from the app
setup going forward. This deprecation also applies to apps that were
previously whitelisted.
So it's time to move away from this functionality, and either integrate the newer FB Instant Games functionality or just link to an external website as having your canvas app hosted inside the FB mobile app simply isn't possible as it was in years gone by.
Facebook has disabled mobile URLs working by default:
We recently identified a handful of apps misusing our mobile App Center to redirect people to unauthorized sites. As a precaution, we have temporarily turned off the ability for developers to direct to a destination URL for any app in the "Mobile Site URL" field on the dev site.
Now if you wish for this functionality to work, you need to be logged into Facebook and then go to the following URL:
https://www.facebook.com/help/contact/588209321338256
This URL will effectively put your request in a queue, for someone at Facebook to manually verify your app configuration isn't malicious, and then enable the redirection. I do not like posting this answer, as I know it will eventually become invalid, but as of today it is the only answer. As stated by Scott, you can follow progress on this issue here:
https://developers.facebook.com/bugs/1051463851558493/
Please ignore the fact it claims the issue has been 'Fixed' as Facebook count the above workaround as a fix. If you read through the comments on the bug you can note the waiting time to get the URL fixed (on a per app basis) is typically several weeks.
On May 28th, 2017, Facebook confirmed that the Mobile Canvas URL has now been deprecated. Any apps already using (and white listed) will stop working, and no new apps will be accepted.
Hi everyone,
First, please accept my sincere apologies for the delay in getting
back to you with an update on the status of Mobile Canvas URL. I
understand your frustrations, particularly if you submitted your
details via the form and were waiting on a response.
We have now deprecated Mobile Canvas URL. This means that you will no
longer be able to direct to a website/app directly within the Facebook
mobile web based upon the external destination URL you have specified
in the 'Mobile Site URL' field for the app on developers.facebook.com.
Furthermore, we have removed the 'Mobile Site URL' field from the app
setup going forward. This deprecation also applies to apps that were
previously whitelisted.
The Mobile Canvas URL feature is a vestige of a long ago deprecated
product called Mobile Canvas. Facebook maintains a high commitment to
quality, so we don't want to leave unsupported products active —
especially when they continue to cause bugs for our developers. Going
forward, we're recommending you take advantage of the well-supported
Facebook Games on Web product to drive traffic to your app.
We've also introduced Instant Games which lets people play mobile
games within Messenger and Facebook News Feed. We invite you to sign
up for our closed beta program. We believe letting people play games
together on Facebook is a powerful experience for both players and
developers.
If your app is still set up to rely on Mobile Canvas URL
functionality, we recommend taking the following actions:
If you're using Mobile Canvas to link to a page on mobile web, you need to update your app to handle the redirection in the desktop
iframe. User interaction is required to redirect away from web canvas
as our Platform Policy does not allow automated redirects from canvas.
If your app was previously whitelisted, you will need to take action as this deprecation supersedes any workarounds you have in place.
Thank you for your understanding as we continually improve the
products and services we offer to both developers and players. Again,
please accept my apologies for the wait in getting back to you with
this information
Best regards,
Tim
See this thread https://developers.facebook.com/bugs/1051463851558493/

Site URL has been been identified as malicious and/or abusive

This question has been around but my scenario is pretty tricky. I'm in the half-way of developing and launching a pretty large Facebook application (website) in Google App Engine and brought my own custom domain to point to the app id.
In the Facebook apps panel I registered :
1 application for the custom domain
1 application for the subdomain given by google app engine
Few days I've been testing the application through the custom domain. I forgot to change the redirect URL in my authentication URL, its value was still left as the subdomain URL given by app engine. So, the login process used to start from my custom domain and reach the subdomain in the address bar.
Facebook has been showing notifications that the custom domain is pretending to be a website that it is not and asked my testers to reset their Facebook password. I didn't promote that URL any longer. We continued testing OK with the subdomain URL.
Now in the Facebook apps dashboard. I can't make any configuration changes in my custom domain configurations. Its showing
Error
App Domains: li__ke__2__marry.c__om (without __) is not a valid domain.
Site URL has been been identified as malicious and/or abusive.
It's basically a misunderstanding, the Facebook algorithm must have assumed that my custom domain must be doing something malicious after tracking its activity. Actually, it is not, and I'm not blaming Facebook algorithm for this mishap.
My question is : How to apply to have this negative rating removed? Facebook is a very reputed product, and I hope they follow the most basic principle : every in should be made with an out. If they have a feature to blacklist I'm hoping to get a place where I can file a False Detection/Re-Classify Requests. It hasn't cheated anybody and all the few people that used it were my friends and to my laziness I was not testing it in sandbox mode nor did I register/configure any of them as application testers! But that doesn't mean my URL is malicious.
A similar request in the bug report feature of Facebook was rejected marking that it should be put in the Stack Overflow community and even in the Stack Overflow community, I found someone authoritative closing a similar question asking them to post it in the bugs section of Facebook. This link from the community for the exact problem forwards the user to Stack Overflow itself.
Here is a form for appealing blocked content (in your case URL). However there are very few chances of getting unblocked your URL but still you may try this form and hoping to get reply from Facebook. In any case if your URL is unblocked there is a high probability that your future users will see a captcha when visiting your app from mobile devices. So I can recommend to change the URL and continue developing with other URL.

How do I get access to my client ID and auth? Original developers moved on

OK, here is my situation. We had two developers create a Social Networking program for us. They created a feature that allows it to link to your Facebook account. They said they used a the standard Facebook API and that it uses a token for authorization. The feature worked great when the code was on our dev site, dev.maizing.com, but now that it is on www.maizing.com we are having a problem.
I searched and found one PHP file that had several references to dev.maizing.com and I changed them to www.maizing.com In our app now when I try to link to my Facebook account, I get a long error url. I noticed it includes ....
https://www.facebook.com/dialog/oauth?client_id=____________
I won't include the whole client_id here.
What I was told is that my original client ID was hardcoded to work with dev and not www. My original developers are gone and are unreachable. I think they have the client_id under another account and I don't have access to it. Have can I get the access to now make our
client_id point to the right server?
Your AppID shown on your app dashboard page is the client_id.
Sounds like you need access to the apps settings, found here:
https://developers.facebook.com/apps/[client_id]/summary/
As this page says, "The URL you specify must be a URL with the same base domain specified in your app's settings..."
So unless you get access to your app settings, you have to stay with "dev.maizing.com"
Sorry.
There is a silver lining though, if you change your app domain to "maizing.com" instead of "dev.maizing.com" then you can us this app from "*.maizing.com" as stated on the tool tip for app domain.

What parameters are allowed in Desktop web game policy change?

We have a browser based game which uses Facebook Connect through an AppID that we used to run the same game in a canvas until Fb Credits were introduced and we were forced to shut it down. Now, we only use the App the same way as a product page with the FbConnect integration on our own site.
Today's mail states for our case:
If your Connect app is accessing user connections or asking for additional permissions beyond age, email, and our Publishing Permissions, please remove these requests.
(This refers to this policy change: https://developers.facebook.com/blog/post/2012/09/05/platform-updates--operation-developer-love/)
We are using oauth FbConnect with scope=email,user_birthday. This is exactly what was specified in an earlier mail so it should be ok.
Once the user is authenticated, we simply call
https://graph.facebook.com/me?access_token=...
and read what comes there.
Is it possible, that we are not allowed to call the GraphAPI's me anymore? It contains info like gender, location and locale...
The Oauth data contains the fbuid, first/lastname and the email, but it does not contain the age, what we are supposed to be allowed to ask?
Do I have to call https://graph.facebook.com/me?fields=birthday explicitly?
Did anyone actually succeed in getting an "desktop web game hosted primarily off Facebook" to comply with their new policy without creating a new AppID?
Note: There have been a couple of questions about the "Sep 5th policy change" like Facebook: Notice of Violation this one and many previous closed as duplicates, but none I found so far contains questions or answers on a technical level.
Maybe you could skip the "Website with Facebook Login" part in developer settings and only provide your game directly via canvas. (eg. apps.facebook.com/logogame). that's what "on facebook.com" is all about, I guess.

Blank Canvas Page for iFrame App

I'm working on an iframe style app that pulls the facebook optimized page available at http://store.starrco.com/?store_mode=facebook. I've done other, admittedly much simpler, iframe apps before without issue but though I've configured this one more or less the same when I try to view the canvas url it remains blank.
My settings can be seen here: http://www.abstraktmg.com/clients/starrco/starrcofbsettings.jpg
I've tried a few different permutations of this with the same results, this is the most complete setup though and most closely matches the settings template I was given.
This page is being generated by Webasyst's shop-script, which is specifically supposed to support this. The obvious answer then is to contact their support which I did, but after assuring them that my app settings matched their template, they said I needed to contact Facebook support and this is as close as I could find to any proper support system.
I checked both http and https versions of store.starrco.com/?store_mode=facebook and both worked outside of facebook.
However, there may be some framebusting code which might prevent the site from being loaded in an iframe. And I see that your settings appear to be missing the app domain entry.
I ran into the same problem, especially in Chrome and Firefox. The problem is, when the user is surfing with https on Facebook, the https Version of the iframe is called. But the browser do not show invalid certificate problems until you to right click page information.
You need to have a signed SSL cert by a CA trusted in the browser.
If the user has accepted it without the iframe - outside of Facebook, it works.