"Policy_enforced" error when exchanging oauth2 token for google plus
Our app works great until the last Tue. We kept getting a "policy_enforced" error when exchanging the oauth2 token for google plus. Answer from google:
Google.Apis.Auth.OAuth2.Responses.TokenResponseException:
Error:"policy_enforced",
Description:"Access denied by a security policy established by the Google Apps administrator of your organization. Please contact your administrator for further assistance.",
Uri:""
We are using google-api-dotnet-client and the code is simple enough.
var flow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
DataStore = new CustomGoogleDataStore(),
ClientSecrets = new global::Google.Apis.Auth.OAuth2.ClientSecrets { ClientId = client.ID, ClientSecret = client.Secret },
Scopes = scopes.Split(' '),
});
var token = flow.ExchangeCodeForTokenAsync(guid, code, redirectUri, CancellationToken.None).Result;
Areas:
"https://www.googleapis.com/auth/plus.login",
"https://www.googleapis.com/auth/plus.profile.emails.read",
"https://www.googleapis.com/auth/plus.me",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/userinfo.email",
"https://mail.google.com/"
This issue happens randomly. Now I cannot find a way to reproduce it 100%.
Please let me know what the problem is and any suggestion is appreciated.
source to share
I faced the same problem lately. After contacting the Google team, we found that this issue was due to a mismatch between the permitted scopes and what we ask for during login. We used the last scopes of profile and email , while the user is logged in. But in the GAM API Console, Google hard-coded the deprecated scopes
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/userinfo.email
After revert the last authority scopes to the deprecated registration scopes work fine.
source to share