Issue
Background
I have an EC2 instance hosting a website. The website uses Google's OAuth2 API for validation (aka Google Identity Platform).
The instance has a public DNS something like http://ec2-99-99-99-99.compute-1.amazonaws.com.
That url is added to the 'Authorized JavaScript origins' section in the Credential management portal.
Going back to the client side, users authenticate using the Google Login button widget.
The Problem
The google widget fails when it tries to list the different login options. For fresh logins it looks like this:
Examining the network panel reveals this call fails:
https://accounts.google.com/o/oauth2/iframerpc?action=listSessions&client_id=...&origin=http%3A%2F%2Fec2-99-99-99-99.compute-1.amazonaws.com&scope=openid%20profile%20email&ss_domain=http%3A%2F%2Fec2-99-99-99-99.compute-1.amazonaws.com
{
"error" : "invalid_request",
"error_description" : "Permission denied to generate login hint for target domain."
}
Investigation Notes
- It is not an SSL issue as other urls like
http://localhost:9000work fine. - It is not an issue with the
redirect_uribecause other urls work fine with out it.
Solution
It would appear that, for whatever reason, Google specifically does not like the default instance urls constructed by amazon.
Our solution was to use a new custom domain pointing to our ec2 instance like: http://something.anotherdomain.com.
Answered By - jmathew Answer Checked By - Clifford M. (WPSolving Volunteer)