Android Quick Start App INVALID_AUDIENCE / Access Not Configured issue

[gaurav sinha]

I have Gitkitv3 up and running on my website with Google, Facebook and (sometimes working sometimes not working) Yahoo IDPs. I had used GAE Python for my website.
I tried the Quick Start Android app. I am getting the below error when I click "Sign in with Google":

09-22 14:38:31.622    1272-1504/system_process W/InputMethodManagerService﹕ Starting input on non-focused client com.android.internal.view.IInputMethodClient$Stub$Proxy@b12c6338 (uid=10007 pid=3898)
09-22 14:38:31.982    2347-2358/com.google.process.gapps W/GLSUser﹕ GoogleAccountDataService.getToken()
09-22 14:38:33.842    2347-2358/com.google.process.gapps W/GLSActivity﹕ [aus] Status from wire: INVALID_AUDIENCE status: null
09-22 14:38:33.842    2347-2358/com.google.process.gapps W/GLSActivity﹕ [aus] Status from wire: INVALID_AUDIENCE status: null
09-22 14:38:33.852    2347-2358/com.google.process.gapps I/GLSUser﹕ GLS error: INVALID_AUDIENCE admin@myapp.com audience:server:client_id:some_key_1.apps.googleusercontent.com
09-22 14:38:33.862    2347-2358/com.google.process.gapps W/GLSActivity﹕ [aus] Status from wire: Unknown status: UNKNOWN
09-22 14:38:33.902    2347-2358/com.google.process.gapps D/dalvikvm﹕ GC_FOR_ALLOC freed 483K, 18% free 3931K/4740K, paused 32ms, total 35ms
09-22 14:38:33.942    3872-3920/com.myapp.gsinha.myapp E/GooglePlusIdpClient﹕ Unrecoverable auth exception: Unknown
    com.google.android.gms.auth.GoogleAuthException: Unknown
            at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
            at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
            at com.google.identitytoolkit.idp.google.GoogleIdpClient$1.call(GoogleIdpClient.java:131)
            at com.google.identitytoolkit.idp.google.GoogleIdpClient$1.call(GoogleIdpClient.java:125)
            at com.google.identitytoolkit.executor.ProgressRequestExecutor$2.doInBackground(ProgressRequestExecutor.java:84)
            at com.google.identitytoolkit.executor.ProgressRequestExecutor$2.doInBackground(ProgressRequestExecutor.java:71)
            at android.os.AsyncTask$2.call(AsyncTask.java:288)
            at java.util.concurrent.FutureTask.run(FutureTask.java:237)
            at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
            at java.lang.Thread.run(Thread.java:841)

When I try "Sign In with Facebook", I get the error:

09-22 14:37:35.931    3872-3892/com.myapp.gsinha.myapp D/ApiRequest﹕ request: https://www.googleapis.com/identitytoolkit/v3/relyingparty/createAuthUri?key=some_key_here
09-22 14:37:36.021    3872-3872/com.myapp.gsinha.myapp W/EGL_emulation﹕ eglSurfaceAttrib not implemented
09-22 14:37:36.981    3872-3892/com.myapp.gsinha.myapp D/ApiRequest﹕ response: {
    "error": {
    "errors": [
    {
    "domain": "usageLimits",
    "reason": "accessNotConfigured",
    "message": "Access Not Configured. Please use Google Developers Console to activate the API for your project."
    }
    ],
    "code": 403,
    "message": "Access Not Configured. Please use Google Developers Console to activate the API for your project."
    }
    }

I am using Android Emulator (Target Name: Google APIs (x86 System Image) ) to test.

What am I doing wrong ? Kindly help.

[gaurav sinha]

I had changed the package to com.myapp.gsinha.myapp throughout.

I have replaced, in the below information, actual values with placeholder tokens : VALUE_W, VALUE_X, VALUE_Y, VALUE_Z
so that you can correlate the data.

In my AndroidManifest.xml, relevant changes made by me:

::
<data
                    android:host="gitkit"
                    android:scheme="com.googleusercontent.apps.VALUE_X" />
::
<meta-data
            android:name="identitytoolkit.show_providers"
            android:value="Google, Yahoo, Facebook" />
::
<meta-data
            android:name="identitytoolkit.api_key"
            android:value="VALUE_Y" />
<meta-data
            android:name="identitytoolkit.server_client_id"
            android:value="VALUE_X.apps.googleusercontent.com" />
<meta-data
            android:name="identitytoolkit.server_widget_url"
            android:value="http://www.myapp.com/oauth2callback" />
::

From the "Gooogle Developer Console" > "APIs & auth" > "Credentials", relevant data:

Client ID for web application

Client ID
    VALUE_X.apps.googleusercontent.com
Email address
    VALUE_X@developer.gserviceaccount.com
Client secret
    VALUE_W
Redirect URIs

        http://www.myapp.com/oauth2callback

Javascript Origins

        https://www.myapp.com
        https://myapp.appspot.com/
        http://www.myapp.com
        http://myapp.appspot.com/
       

       

Key for browser applications

API key
    VALUE_Y
Referers

        *.myapp.com/*
        *.myapp.appspot.com/*
        http://myapp.appspot.com/*
        https://myapp.appspot.com/*

Activation date
    Aug 28, 2014 11:47 AM
Activated by
    mye...@gmail.com (you)
Obsolete key
    VALUE_Z
Status
    Inactive

09-22 14:37:36.981    3872-3892/com.myapp<span style="color: #660;" cl

...

[Mengcheng Duan]

Invalid audience means either your Android app is not registered in Google cloud console or it is registered in a different project other than the one where the server client_id lives.

The 403 is caused by the browser API key referer restrictions. Currently the workaround is to create a new browser/android API key without referer/package restrictions.

We're working on a new release for Android API key support such that you can add package/cert hash restriction in the key.

- Mengcheng

--
You received this message because you are subscribed to the Google Groups "Google Identity Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-identity-t...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[gaurav sinha]

Thanks Mengcheng.
When I deleted the referrer restrictions from the existing "Key for browser applications" or added a "*" entry, it still did not work.

But, as you mentioned, I created a new "Key for browser applications" without referrer, it worked for Facebook and federated login.

Google login still does not work. I get the below error:

09-23 09:10:16.086  17272-17272/? I/eFrame﹕ pkgname_before:com.google.android.gms  class:com.myapp.gsinha.myapp.GitkitDemo
09-23 09:10:16.736    6456-6469/? W/GLSActivity﹕ [aus] Status from wire: INVALID_AUDIENCE status: null
09-23 09:10:16.736    6456-6469/? W/GLSActivity﹕ [aus] Status from wire: INVALID_AUDIENCE status: null
09-23 09:10:16.736    6456-6469/? I/GLSUser﹕ GLS error: INVALID_AUDIENCE admin@myapp.com audience:server:client_id:VALUE_1.apps.googleusercontent.com
09-23 09:10:16.736    6456-6469/? W/GLSActivity﹕ [aus] Status from wire: Unknown status: UNKNOWN
09-23 09:10:16.746  17239-17629/? E/GooglePlusIdpClient﹕ Unrecoverable auth exception: Unknown

    com.google.android.gms.auth.GoogleAuthException: Unknown
            at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
            at com.google.android.gms.auth.GoogleAuthUtil.getToken(Unknown Source)
            at com.google.identitytoolkit.idp.google.GoogleIdpClient$1.call(GoogleIdpClient.java:131)
            at com.google.identitytoolkit.idp.google.GoogleIdpClient$1.call(GoogleIdpClient.java:125)
            at com.google.identitytoolkit.executor.ProgressRequestExecutor$2.doInBackground(ProgressRequestExecutor.java:84)
            at com.google.identitytoolkit.executor.ProgressRequestExecutor$2.doInBackground(ProgressRequestExecutor.java:71)
            at android.os.AsyncTask$2.call(AsyncTask.java:288)
            at java.util.concurrent.FutureTask.run(FutureTask.java:237)
            at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
            at java.lang.Thread.run(Thread.java:841)

09-23 09:10:16.766    6456-6461/? D/dalvikvm﹕ GC_CONCURRENT freed 387K, 4% free 18162K/18812K, paused 3ms+3ms, total 36ms

 

I tested the above on my Nexus 5 and not on emulator.
Please suggest a solution.

On Tuesday, 23 September 2014 01:24:10 UTC+5:30, gaurav sinha wrote:

09-22 14:37:36.981    3872-3892/com.myapp<span style="color: #660;" cl

...

[gaurav sinha]

Thanks Mengcheng for your help.

The problem was that I had only one entry for "Client ID for Android application" for my existing Android app without Gitkit and with SHA1 as (say) "X".
I started from scratch on Gitkit based Android app with the same package name but a different SHA1 (say) "Y" as the signing key in Android Studio. There was no "Client ID for Android application" entry for this SHA key ("Y"). Since I did not need to specify this "Client ID for Android application" CLIENT ID anywhere in my Android app but had to use only "Client ID for web application" CLIENT ID, so I missed creating that.

(As per your suggestion)

After adding that new "Client ID for Android application" entry in Google Developer Console for the new SHA1 key and package name, the authentication started working perfectly for Google accounts too!

Thanks :)

On Tuesday, 23 September 2014 01:24:10 UTC+5:30, gaurav sinha wrote:

09-22 14:37:36.981    3872-3892/com.myapp<span style="color: #660;" cl

...