59

I'm trying to set a web service that needs the user's Google Latitude info, so I'm using Google OAuth to get the user authorization stuff.

However, when trying to set the redirection URI in the Google APIs Console for a web application client ID I get a message error if I try to set it to 'http://PUBLIC_IP/'.

I need to test it with non local users (thus localhost can't be used), so I would like to know if having a web domain is mandatory in order to use Google's OAuth. If not, how can I solve this issue?

jgg
  • 967
  • 2
  • 10
  • 19

9 Answers9

60

This is not currently supported. I filed a feature request and will update on progress.

Update: Essential app verification activities have continued to make support of IP address-based apps unlikely. These verification activities are necessary to provide protections against abuse of user accounts. In addition, the cost of setting up dedicated domains has been reduced significantly since this feature was requested. Please read other responses here about possible options.

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
breno
  • 3,226
  • 1
  • 22
  • 13
  • 3
    Notably also custom TLD's are not supported. I would love it if the oauth could redirect to a URI within my private network, but that does not seem to be supported. Is it confirmed as non-supported? Thanks. – meawoppl Jan 12 '13 at 20:33
  • 2
    Is there a link to the feature request? – tsuna May 04 '15 at 00:43
  • It is December 30th 2017 and public IPs+Reserved TLD do still not work. :( There are reserved TLD (https://tools.ietf.org/html/rfc2606) and it should be supported to make local development a lot easier. – vee Dec 30 '17 at 16:10
  • 1
    What I'm doing for development is using ssh port forwarding to map a uri that Google OAuth will allow, to the IP address of the server I'm actually using for development. From the server being used as the allowed uri: `ssh -L 8080:localhost:8080 user@`. – theferrit32 Jan 22 '18 at 23:18
  • Google do not have any plans to add public IP's as trusted, simply they do not trust an IP. There can be many potential threats associated with this including man in the middle attacks and identity thefts. In simple words , you are not the real owner of your IP, you just own it for the time being, tomorrow it can be in anyone else's hand. – Clain Dsilva May 15 '19 at 11:04
  • @ClainDsilva I can say the same thing about domain name. For example, my old domain name now owned by japanese person. emirbytes.com. – GeneCode May 19 '19 at 06:08
  • @GeneCode that's a rare possibility compared to IP, Its impossible to tell if an IP is static or dynamic. when it comes to domain, you loose the domain if you do not renew it here you are the reason for the flow. where are in IP the possibilities of a flow is endless. – Clain Dsilva May 20 '19 at 17:17
54

You can use xip.io to work around it.

For example: '192.168.0.50.xip.io:3000' will resolve to '192.168.0.50:3000'

BAR
  • 15,909
  • 27
  • 97
  • 185
  • With this, I could setup a Google Signin mechanism to my app during Dev. I was able to configure the redirect_uri, with my docker-machine ip address. Great ! – Johan Chouquet Mar 29 '17 at 10:40
  • I tried your solution. It did the job, but when i'm using chrome it shows warning message that the site might be "deceptive" – Va1iant Nov 27 '17 at 08:08
  • 1
    This was working fine for me, but then it didn't.., to make it work again I had to whitelist both `http://xip.io` and the xip address with my IP (ej. `http://192.168.0.50.xip.io:3000`). Mind that the address that you enter in your browser has to be exactly the same that the one you whitelisted. – Adrian Guerrero Aug 29 '18 at 22:19
  • It looks like `xip.io` has changed to `nip.io` – Islam May 11 '23 at 13:44
13

I ran into this issue too and so I entered a URL with a .com extension and also entered it into my /etc/hosts file. Works like a charm.

It totally sucks that my entire app now has to be developed on an apparently 'live' domain though.

Tim Fletcher
  • 7,062
  • 1
  • 35
  • 33
  • Same to me. I have `mydomain.com` on live domain. I have to add `mydomain-localhost.com` to windows host file and enter this domain in Google api. That sucks. – vee Dec 30 '17 at 16:12
  • This can work for a single computer in a LAN network only. For multiple computers then it cannot access the said URL. – GeneCode Jan 06 '20 at 01:35
7

I used my public hostname. It helps if you have a static IP address. I used http://www.displaymyhostname.com/ to get my hostname. I plugged it straight into the Authorized JavaScript origins field when I created a new Web Application Client ID.

P.S. My hostname looked something like this: 111.111.111.111.static.exetel.com.au

Tyson
  • 681
  • 7
  • 10
  • 1
    Thank you for this answer, it worked for me. I forgot the hostname given by amazon (http://ec2-..compute.amazonaws.com) should already work, this link gave me that. :) – ciuncan Jul 10 '15 at 22:52
  • @ciuncan I am using AWS Cloud9 and got my hostname from this method but am still receiving the error even though I've added to both whitelist and redirect URI. How did you solve this? I've tried with and without port – Vincent Nguyen May 08 '18 at 18:03
  • my hostname is just IP address using this tool. So this cannot work. – GeneCode Jan 06 '20 at 01:22
3

You can use a dynamic DNS. I used ddns.net which offers a free solution. Basically, you enter your FQDN as this: yourcompany.ddns.net as your domain. When looked up for an IP address, the .net domain points to ddns; when ddns.net is looked up, it looks up in its database for your company, returns the IP. So mine looks like this: https://wigwam.ddns.net and everything works fine. You don't need to buy a domain, you can substitute your known IP, and Google is happy with that.

Your IP must be static, of course.

Andrew Jay
  • 1,412
  • 1
  • 12
  • 17
  • This solution is not good because the dns will auto expire every 30 days. – GeneCode Jan 06 '20 at 00:07
  • Anything free cannot be expected to meet any SLA, or be free for very long. The OP needed to test, and this provides that opportunity to do so. – Andrew Jay Jan 06 '20 at 02:30
3

Yes, as of now you still need to have a domain name to use Google OAuth in your application. If you have a static public IP and don't want to buy a domain name, you could use a free subdomain from FreeDNS to link to your public IP. Seemed to work well enough for me with a Django app.

silverox
  • 39
  • 1
  • 2
1

Echoing what Breno said in response to his earlier comment:

Apologies for the lack of updates here. Essential app verification activities have continued to make support of IP address-based apps unlikely. These verification activities are necessary to provide protections against abuse of user accounts. In addition, the cost of setting up dedicated domains has been reduced significantly since this feature was requested. Please read other responses here about possible options.

You can read more about Google's app verification requirements [1] and Google's policies requiring secure handling of data [2].

[1] https://support.google.com/cloud/answer/9110914?hl=en

[2] https://developers.google.com/identity/protocols/oauth2/policies#secure-response-handling.

user2705223
  • 1,219
  • 6
  • 10
1

xip.io is not working anymore as an alternative you can use nip.io the same way for example:
10.0.0.1.nip.io:8000 will resolve to 10.0.0.1:8000
You can use it as a work around

Mohcen CH
  • 275
  • 6
  • 17
0

It seems like xip.io is down, but there are alternatives such as sslip.io and nip.io. However, I couldn't get either of these to work.

I ended up hosting the main file server on the main machine, and ran said server on a 192.168.1.xx IP address. I then ran servers on each of the test machines (including a second server on the main machine), all of which were on the localhost address. Any requests that the localhost servers received were then passed off to the 192.168.1.xx server, which allowed testing on all of the devices.

This should also work with public facing IP addresses.

simplexshotz
  • 139
  • 12