RE: How to setup OAuth properly

@mark-robustelli

Hello, sorry for away from this topic for a week due to my other ad hoc job,

I've already solved this topic, it's not about setting on Fusionauth or google credential.

but it's because I used google's client id on Fusionauth callback and
after you told me to set applicationId in my Fusionauth admin then I used ApplicationId on google oauth's callback.

that's why it kept return me client id is invalid.

it was right under my nose, but I couldn't see it.

Thank you for reply me, that's very helpful, It would take more time if you didn't help me.

@mark-robustelli

I think I did misunderstand after taking a look at the document again.

for this moment I can make a redirect login from my site and retrieve access token there is some issue left at my site. I will let you know after I solve those probs.

thank you for replying.

@mark-robustelli

oh, I saw the oauth consent screen but for some reason it redirect me to other page, looks like I'm not allowed to access this page.

but I don't think it was a root cause of my error due to the error kept showing me "invalid client id" in my redirect scenario and "redirect uri mismatch" in futionauth console scenario.

@mark-robustelli

thank you for replying.

My auth platform(Nest js) was implemented on top of FusionAuth in order to make some features for authentication and authorization.

and I do want to allow a new user to sign-in and access my platform without register by using sso feature.

I defined a login and callback function(as I've written above) for the web application using redirect method.

---

I also enable sign-in google button at the fusionauth admin in order to test the credential and as I showed you that I still encouter the invalid client error.

I believe that it's not that so complicated due to the document is easy to replicate but for some reasons I still get the error.

---

Lastly I havn't seen any section in credetial page that can define scope, may you tell me about this section.

@mark-robustelli

and to be clear, the error dialog I posted above was from fusionauth admin console

but if I call the request to this function

@Get("oauth/login")
async login(@Req() req: Request, @Res() res: Response) {
const fusionAuthURL = ${process.env.FUSIONAUTH_ISSUER}/oauth2/authorize?client_id={secret}&response_type=code&redirect_uri=${"my redirect url"};
return res.redirect(fusionAuthURL);
}

it still returns me
{
"error" : "invalid_client",
"error_description" : "client_id: {secret} is not valid.",
"error_reason" : "invalid_client_id"
}

@mark-robustelli

is this what you mentioned?

I had added it a few days ago and it shows me this error

Actually, we made a progress since a few days ago the error said I need to define scope.

as I replied earlier I add redirect uri in FusionAuth console and invalid_redirect_uri is gone.

and this moment still get this error using Google Oauth flow.

I replaced redirect uri "https://mydomain/callback" as I did in Fusionauth admin console but still get the same error.

@mark-robustelli

redirect url is valid now, it takes me to this login page again, expect flow is using google oauth flow, but we made a progress.

@mark-robustelli
Hi thank you for replying, and sorry for away a few days due to my group shut down the service during weekend and night time.

I try using url from this "OAuth IdP login URL", as a login function

@Get("oauth/login")
async login(@Req() req: Request, @Res() res: Response) {
const fusionAuthURL = ${process.env.FUSIONAUTH_ISSUER}/oauth2/authorize?client_id=1133784f-7f6e-4eda-a33b-7fd1164f6509&response_type=code&redirect_uri=${"my redirect url"};
return res.redirect(fusionAuthURL);
}

but it returns me
{
"error" : "invalid_request",
"error_description" : "Invalid redirect_uri {my redirect url},
"error_reason" : "invalid_redirect_uri"
}

PS. I replaced the direct url as a "my redirect url".

the value of my direct url is a url path that request to this

@Get("oauth/callback")
async callback(@Req() req: Request, @Res() res: Response) {
const user = req.user;

// skip access token

// res.cookie("token", jwtToken, { httpOnly: true });

return res.redirect(`${process.env.FRONTEND_URL}`);

}

@mark-robustelli

oh, I changed client id in identity provider to app id,

the error dialog still the same error

{
"error" : "invalid_client",
"error_description" : "client_id: {"still be google client id not app id"}apps.googleusercontent.com is not valid.",
"error_reason" : "invalid_client_id"
}

it seems the id that was shown in the error dialog
is from the web service controller "process.env.FUSIONAUTH_CLIENT_ID"

@Get("oauth/login")
async login(@Req() req: Request, @Res() res: Response) {
const fusionAuthURL = ${process.env.FUSIONAUTH_ISSUER}/oauth2/authorize?client_id=${process.env.FUSIONAUTH_CLIENT_ID}&redirect_uri=${process.env.FUSIONAUTH_REDIRECT_URI}&response_type=code&scope=openid email profile;
return res.redirect(fusionAuthURL);
}

but in credential page isn't complicated.

anyway, I did enable and attemp to login from fusion auth admin page

and got this error.