insomnia
insomnia copied to clipboard
Kong
OAuth2 auth code flow
Describe the bug OAuth2 does not work with Google. Have tried both the authorization code flow and implicit grant flow, and both have the same error. The OAuth2 client credentials type in the Google console is "Web application".
This browser or app may not be secure.
Try using a different browser. If you’re already using a supported browser, you can refresh your screen and try again to sign in.
To Reproduce Steps to reproduce the behavior:
- Use a request using oAuth2
- Use Google as the identity provider for sign in
Expected behavior It should work.
Screenshots
Desktop (please complete the following information):
- OS: Linux
- Installation Method: Flatpak
- App Version: 2021.3.0
Additional context Same issue as https://github.com/Kong/insomnia/issues/2185.
Thanks, can confirm.
Steps to reproduce
- open the dev console
- make a GET request to
http://gmail.com(https has the same behavior) - note
Uncaught DOMException: Failed to read the 'cookie' property from 'Document': Cookies are disabled inside 'data:' URLs. at m (data:text/html;errors - enter
abcdefginto the input and hitnext - note the following errors
electron/js2c/renderer_init.js:135 Electron Security Warning (enableBlinkFeatures) This renderer process has additional "enableBlinkFeatures"
enabled. This exposes users of this app to some security risk. If you do not
need this feature, you should disable it.
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
electron/js2c/renderer_init.js:15 (electron) Security Warning: webFrame.executeJavaScript was called without worldSafeExecuteJavaScript enabled. This is considered unsafe. worldSafeExecuteJavaScript will be enabled by default in Electron 12.
electron/js2c/renderer_init.js:135 Electron Security Warning (enableRemoteModule) This renderer process has "enableRemoteModule" enabled
and attempted to load remote content from 'https://accounts.google.com/signin/rejected?rrk=46&hl=en'. This
exposes users of this app to unnecessary security risks.
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
electron/js2c/renderer_init.js:135 Electron Security Warning (Insecure Content-Security-Policy) This renderer process has either no Content Security
Policy set or a policy with "unsafe-eval" enabled. This exposes users of
this app to unnecessary security risks.
For more information and help, consult
https://electronjs.org/docs/tutorial/security.
This warning will not show up
once the app is packaged.
Could you say a little bit more about the use-case here? What is it that you are trying to accomplish that you need oAuth2 for? Don't get me wrong, as far as I'm concerned this is definitely broken, but I want to better understand your ultimate goal for how you're using insomnia.
@dimitropoulos Well funnily enough, that's a bit of a complex answer...
My situation is that I have a backend API that validates tokens retrieved via Firebase auth (https://firebase.google.com/docs/auth). Firebase auth is (mostly) a middleware to other providers rather than an identity provider itself, so it abstracts away the complexity of supporting oauth2 for multiple IDPs directly.
Firebase auth, while being a middleware, does issue its own OIDC tokens and does seem to implement a valid OIDC backend (i.e. .well-known/openid-configuration does return a valid response). But since I didn't see any way to get Insomnia to issue Firebase auth tokens, I was trying to use the underlying identity provider directly -- in my case Google. I would then have changed my backend to accept either Firebase tokens directly, or to convert the Google token into a Firebase token via some middleware (I hadn't gotten around to knowing if that was even possible yet because I ran into this issue first).
So my ideal situation would actually be that Insomnia supports Firebase auth directly.
Sorry for the convoluted response, but does that help?
I've used firebase auth (to great success!) so I think I understand what you're trying to do. This is helpful that you describe it because I would, frankly, also expect it to work with firebase auth like you're trying.
I don't have an immediate response on this, but I want you to know that we're aware of this and will look into it, although I cannot provide an estimate.
On a personal note, I want this to work just for my own use, if nothing else, haha.
Sounds good, thanks. In the meantime unfortunately the only workaround I see is setting the bearer token manually, but I'm open to suggestions.
The problem looks similar to what Postman had - related to the version of the internal browser that Insomnia is using which is older and some REST APIs are blocking it (like Google). Maybe posible solutions would be updating it to latest version or similar approach to Postman - introducing an option to use the default browser of the system.
I can verify that what @popovanastas is probably the issue. I was seeing it with Auth0. When using Postman though, I can't used their backed in browser or I get the same error...
The problem looks similar to what Postman had - related to the version of the internal browser that Insomnia is using which is older and some REST APIs are blocking it (like Google). Maybe posible solutions would be updating it to latest version or similar approach to Postman - introducing an option to use the default browser of the system.
I came here to propose the same option :-)
The default browser (or last used browser window) would be a very good option for me too. Due to company policies, I can only use specific browser (version) to create tokens.
