问题
Our app used to work fine until last Tue. We kept getting "policy_enforced" error while exchange oauth2 token for google plus. The response from google is:
Google.Apis.Auth.OAuth2.Responses.TokenResponseException:
Error:"policy_enforced",
Description:"Access denied by a security policy established by the Google Apps administrator of your organization. Please contact your administrator for further assistance.",
Uri:""
We're using google-api-dotnet-client and the code is straight forward enough.
var flow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
DataStore = new CustomGoogleDataStore(),
ClientSecrets = new global::Google.Apis.Auth.OAuth2.ClientSecrets { ClientId = client.ID, ClientSecret = client.Secret },
Scopes = scopes.Split(' '),
});
var token = flow.ExchangeCodeForTokenAsync(guid, code, redirectUri, CancellationToken.None).Result;
The scopes are:
"https://www.googleapis.com/auth/plus.login",
"https://www.googleapis.com/auth/plus.profile.emails.read",
"https://www.googleapis.com/auth/plus.me",
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/userinfo.email",
"https://mail.google.com/"
This issue happens randomly. Util now I cannot find a way to 100% reproduce it.
Please let me know what this issue is and any suggestion is appreciated.
回答1:
I faced the same problem recently. After contacting Google team we found this problem occurred because of mismatch between the authorized scopes and what we are requesting at login time. We used latest Authorization scopes profile and email while user login. But in GAM API console Google hardcoded the deprecated scopes
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/userinfo.email
After reverting the latest Authorization scopes to deprecated scopes login works fine.
来源:https://stackoverflow.com/questions/25508740/policy-enforced-error-when-exchange-oauth2-token-for-google-plus