I have set up Google Oauth 2 in the past several times. However, I wanted to do this again today and could not do it.
Reason is mainly that the documentation is to old. Everything at Google has changed. I used this documentation: https://docs.moodle.org/39/en/OAuth_2_Google_service
Would anyone be willing to update this? Does anyone know a step-by step procedure for setting this up?
Hope this documentation can be updated so it's useful again.
Security Checkup might show your app as risky and unverified. When an app is “unverified,” it has not fully completed the OAuth app verification. Depending on the sensitivity of the data being requested, verification might require several months for the app to complete.
Would think one needs to get the web interface working first before testing with the moodle app.
Yes, it's a little different ... there are 3 tabs across the set up of Google IAM. All three must be completed. You mentioned terms of service and privacy statement. I have made those static web pages (.html) and use the same ones for the sandbox sites (3.5->310) all of them have Google working. I cheated there and 'borrowed' a tos.html and privacy.html page from a organization for education ... changing the appropriate names/references in the borrowed pages to mine.
One of the tabs has to do with verifying that you own the server/domain via DNS. They offer adding a txt record to your DNS for the moodle or, perhaps easier and don't have to include DNS server admin, is the option to verfiy ownership via an HTML file at the root of the site ... ie, moodle code.
They don't provide the HTML file ... just describe ... like name it with 'stringname.html' and contained therein a one liner with what appears to be the same verification string.
The other thing I do which in docs say isn't necessary, I have a Google System account to use with IAM. In the checks for setup, 'System Account Connected' ... which has to be the same one used when first setup.
In versions of Moodle <-310 I have such a system account. On a 310 I don't have that setup and it works anyway.
Do you get the login screen that comes from Google? (that shows something like the following)
The SOSSIG in above screen clip is the name of the IAM I am using.
Can PM you some links to these sandbox sites so you can try them out just to see how they work. I'll remove your test accounts after you let me know. ;)
As far as keeping docs up to date ... one can edit them. Will say that I'm not gonna volunteer to do that ... besides ... Google has been known to change things. :| I already have a job and enough to do.
'SoS', Ken
Know things can get frustrating ... and that includes future endeavors ... but step back a minute and take some time away from it. I used to have an exit door from my server room that opened to an outside walkway and I would step out there from time to time and scream or shout to release frustration. After pausing and reflecting, back to thinking what to try next, and after becoming more calm, back to keyboard.
This 'haste makes waist' ... is true! ;)
Question: do you have a Google Edu domain? I see what looks to be a personal email .biz domain. Your .biz and an entities Google Domain aren't same .... how about setting up a system account in Google ... using your entities email address ... the stuff after the @ - or if you don't have a Google Edu a gmail address of some sort controlled by the entity ... not personal.
dig vaniwaarden.biz -t MX doesn't exist in DNS.
Maybe that's why can't verify??
dig vaniwaarden.biz does - and shows an IP address that appears to be a virtual system (webhostingserver.nl) and does have smtp port (25) open but don't think anything Google talks port 25 ... in or out.
Now onto other responses.
'SoS', Ken
In looking at my setup (not a google edu), towards the bottom this info.
That appears to be what you are seeing.
As you saw by other shared screen shot, my server setup is not for an entity ... and I have a 100 user cap ... of which I have used 24 users. I have on one server an instance for a 3.5, 3.6, 3.7, 3.8, 3.9, and 3.10 and I have two accounts using Google Oauth in each of those instances. Have also a GCE instance of a moodle - it also has 2 gmail domain users set up to admin the moodle and use Google Oauth2 for the authentication app (consent).
'SoS', Ken
Found some more info out here, trial and error. I have to add 'scopes' (whatever they are).
How do I know which 'scopes' to add?
Is that a Google Edu domain?
Looks like you have active Google Drive ... which is what you need to have turned on and available in the setup to use Google Files in Moodle ... which won't be typical links such as somefab.doc ... but url's, me thinks.
In set up of Moodle for Oauth2 using Google ... where you enter secret/keys
There are 2 boxes for scopes.
Default for both are: openid profile email
** for drive add a URL: https://www.googleapis.com/auth/drive
Saw that in Moodle docs somewhere and at one time in past. Appears to work. ;)
'SoS', Ken
Use the same API project you had used for learn.hz.ni before?
What email address had that been associated with? I would assume an hz.nl address - something used for network/server for your entity ... not for an individual/personal (.biz). Reason being ... you might leave hz.nl and the new person responsible for the Moodle needs access to that API project.
I once got involved with a K12 entity that had a moodle and wanted to use Google's Oauth2. In order to do that where it stayed in control of the entity, I had the admin of that K12 entity set me up with a Google Admin level for their Google Edu - thus had a ktask@entity email address which was under the entities control.
The app really is just the authentication.
'SoS', Ken
Use the same API project you had used for learn.hz.ni before?
Yes, that was also my idea so I'm doing that now. That's also the reason that I used my @biz address, I'm sure it has been working with this mail address before.
I could do it with my @hz mail address, but then I really need to start from scratch.
Well... to add more headache: I need to make an YouTube video in English explaining what I want:
Are you serious Google? All I want is my students to be able to upload something from Google Drive...
Don't need YouTube. Can upload videos ... webm, mp4 and one can link to them in Moodle.
https://drive.google.com/file/d/0B5gmU8YqbNJQdHRxMDdQXzRJZ2M/view?usp=sharing
'SoS', Ken
Vaniwaarden.biz is a personal server, but has nothing to do with this
This: https://moodle.org/mod/forum/discuss.php?d=416645#p1679041
shows you are trying to set up an app and the .biz address is shown.
Mind sharing what links Google provided you?
https://docs.moodle.org/310/en/OAuth_2_Google_service
shows 2 tabs of 3 .. the one missing from the moodle doc is Domain Verification
In the link above:
App verification
NOTE: If you are just using this for document conversion you will not need to verify (as it only uses one account). You will, however, need to verify your ownership of your domain (see, [1])
The Google Drive repository and Google Drive converter also require the app to be verified by completing the OAuth Developer Verification Form. The list of scopes that Moodle requires are:
openid profile email https://www.googleapis.com/auth/drive
https://support.google.com/code/contact/oauth_app_verification
'SoS', Ken
Google has sent me this:
Step 3 is not correct: there's no option 'Credentials' on the 'Oauth Consent Screen'.
These are separate menu items:
More annoying: neither the page 'credentials' nor the page 'Oauth consent screen' allow me to enter a homepage URL (as stated in intructions)
Credentials page:
Oauth consent screen:
'the Learn more' link just goes to instructions....
If I am understanding Google ... your moodle site is at the root of that web server. All must login before seeing anything ... including Google to check for terms of service, privacy, and domain confirmation pages.
So ... suggestion ... use Custom Menus at the top of the front page. Those show logged in or not. Google can and fill follow them.
Custom menu item: TOS (terms of service) points to a static (not part of Moodle content) html page: tos.html. That file is directly accessible by anyone: https://site/tos.html .... Google can access.
Do same for privacy.html and the google domain verification file which is something like wqerasdhiwerawdh.html.
In Google config ... https://site/tos.html ... https://site/privacy.html
The contents of those static pages would have to be reviewed by your 'legal beagles'/admins of entity, etc. and approved am sure, but Google happy/Entity Powers that Be happy, you are happy (that it works) and students as well.
A bit more sharing ... I have my moodles in directories ... but the tos.html and privacy.html and googleverification page is at document root along with a static page for navigating the site to the various sandbox moodles that do use Google Oauth2.
The one thing you would have to remember when updating or upgrading, since your code is @ doc root is to copy config.php/plugins etc. AND the static pages back into code root.
Fingers crossed!
'SoS', Ken
Follow up ... you didn't mention but a big factor ...
Your site is forcing to a SAML page for logging in via another server @ fs.other.nl
You have plenty of room in the 'big blue square' of that page for links to static pages for TOS, Privacy, and Google domain verification back on the moodle server itself.
Google should be able to see those, follow those, and thus you get those items Google requires 'checked off'!
'SoS', Ken
If I am understanding Google ... your moodle site is at the root of that web server. All must login before seeing anything ... including Google to check for terms of service, privacy, and domainconfirmation pages.
I fixed this by making the links to the privacy & terms of user all to www.hz.nl. This has the privacy-statement for our organisation.
The google verification posed no problems, I've put it in learn.hz.nl which worked perfectly. So domain is verified.
Still... Google does not allow my connection. 'App' (read: learn.hz.nl) remains unverified.
I'm at the point of giving up on this after receiving yet another mail from Google:
|
|
I'm not willing to create a video for this and upload it to youtube. To bad, this used to work pretty easy...
No Google-Drive for us. We will stay on Microsoft.
Shame! So gonna stay with the Microsoft 'kraken' and not change to/add the Google 'kraken' ....
This item:
The privacy policy is hosted by the domain of your website.
'domain' mis-understanding ... 'website' mis-understanding?
top level domain .... hz.nl
learn.hz.nl is a subdomain of top domain ... technically DNS wise ... for practical purposes (and for Google) consider 'learn' to be a host or a server ... ie, your 'learn', but it is a domain. learn is the only host in that subdomain. One could have, if they wanted to, a moodle2.learn.hz.nl.
www.hz.nl is also a subdomain of top level domain ... practical ... a host or server. www historically the 'web site'. Many folks today, just use top level domain and have dropped the 'www'.
Translation: Privacy Policy is hosted by the domain of your 'moodle' site ... learn.hz.nl ... and not www.hz.nl.
Same with terms of service, 'domain' verification file ... has to be on learn.hz.nl and not another server.
From that point forward (hosted by the domain of your website), because files not on your learn.hz.nl, the rest of the requirements go astray and thus ... domino effect .... failure to verify, etc. and eventually leads to the requirement for the video.
'SoS', Ken
Hi all,
We have been trying to obtain the Oauth2 consent for our platform offeaze.co
We are currently using 2 of the services 'Sign Up' + 'Google API Calendar' provided by Google and were unable to validate our App with Google even though we exchanged more than 10 videos.
Every time they revert back to us, they ask us for different information (that sometimes were NEVER requested) and we are unable to get a call to talk to a human there to assist us.
It feels we have each time a different person jumping in the conversation bringing a different matter on the table.
I was wondering if any of you could help us with regard to that in order to validate our app.
Would happy to jump on a quick visio call !
Thanks a lot in advance,
Fayçal
