"Sign in with Google temporarily disabled for this app" message

Just hit this problem (im in Australia, if it makes any difference). Surprised to learn its been going on this long.

Has the CAoS got any Silicon Valley types on the board? Can ya hustle them connections and get this train rolling again lol

Google also has a lot more motivation for someone to hack it though, versus inaturalist, because it’s a huge target and also has all sorts of financial and personal info well beyond what iNat has. So I’m not sure how that tradeoff really balances out. On the other hand, if someone hacks your Google account I doubt they’ll be using it to log into iNat.

Google has never been successfully hacked (someone guessing or brute force determining an account password is not the same thing as being hacked).

@tiwane if a user creates a standalone account to deal with this, and the Google issue is then resolved, can that account and login be removed from the site without causing the loss of all your data.

that we know of. And of course you have to trust google which i do trust for a lot of things but honestly, trust way less than I trust Ken-Ichi, Scott, etc. But… I am not trying to say your decision is wrong at all! And I’ve kind of accepted Google as an overlord anyhow.

Any hacker who broke into google would be crowing (sly nature reference) like crazy about it. Google may or may not try to hide it, but the person who did it would be claiming it all over the place for the cred.

really? i think it would be super powerful to just lay low and use the data. it depends on what sort of hacker and why. But sorry… i am roaming way off topic here. Hopefully this issue is fixed for those who want to log in with Google.

Assuming you successfully hack someone, eventually you need to do one of 3 things before the company figures it out and closes the hole, use the data, sell the data, or contact the company and try and either extort them or collect a bug bounty. For the folks skillful enough to hack a company of that size, just having the data sitting on their hard drive does nothing.

who’s to say they aren’t using it?

I’ve got the same issue.
Logging in with my gmail credentials via Firefox from Southeast Asia generates the error with no other content on the page. Logging in using my inat password works fine.

1 Like

FYI, I’m working on this, but I’ve had some trouble getting non-robotic support from Google and clarity on whether they need us to verify ownership of domains or merely of content at URLs. So far I think it’s the former, which would mean we could probably get this resolved for inaturalist.org in the next week, but getting it to work for partner sites like inaturalist.ca and naturalista.mx will take a lot longer (these domains are owned by partner organizations so we at iNaturalist / CalAcademy don’t legally own them, and proving “ownership” to Google will require getting all of the partner orgs to make some fussy DNS changes).

Believe it or not, they are also requiring us to change the design of the “Sign in with Google” button. Oi.

2 Likes

@kueda Ken-ichi, can you comment on the question I left for Tony, if a standalone account is created in the interim, when this is resolved, can it be deleted without the cascading delete of all data? I dont believe there are any user facing tools that allow this.

If a redesign is needed, I assume we are talking weeks if not months before this can be resolved between design, coding, testing, translation etc.

It can but I’d much prefer that people not do that. If you’re locked out of your account because you have always signed in with Google and have never created an iNaturalist password, the best remedy is to go to https://www.inaturalist.org/users/password/new, enter the email address associated with your Google account, and use the link in the email you receive to create a password. Then you can sign in with your iNat credentials instead of your Google account. Since you seem to be worried about security, use a password that you don’t use anywhere else (really everyone should do this). If our security is compromised to the point that people can hijack user accounts, I seriously doubt having or not having a password on iNat will provide any amount of protection. For what it’s worth, almost all of the security issues we’ve had to deal with through updating third party dependencies have to do with the signing in with another site’s credentials, so if you’re trying to be very cautious about account security, I’d focus that concern on the fact that you sign in with Google.

4 Likes

Today in tech absurdity:

They are seriously asking us to provide a video of functionality that doesn’t work because they disabled it. Excuse me while a find a literal wall to slam my head into.

7 Likes

Is there any update on a fix? I find this error rather embarrassing to iNaturalist, it sends the message of being a fraudulent app that Google doesn’t want its users to go to.

I can now sign in with Google again. Whatever you’re doing behind the scenes is working :)

I still can’t :expressionless::unamused:

Hey Ken-ichi! Thanks for slamming your head into walls for us on this - those of us frustrated by not being able to log in for the past 3 weeks really appreciate your efforts!

As mentioned in a duplicate track, the SSO bug resurrected again. For two weeks I had no issue with access to iNaturalist.
https://forum.inaturalist.org/t/howto-change-the-google-sso-to-a-native-inaturalist-login/8247

Ok, after a long struggle, this should now be working again, with the caveat that we’re including the Google Photos permission even on sign in, which is going to look scary to some people. I needed to do this to get that permission approved for anyone who’s still trying to import photos from Google Photos. I’ll see if we can support sign in without it.

Also, small editorial: while signing in with third parties is convenient, I don’t think it’s a great idea, personally. The degree to which third parties like Google and Facebook verify site authenticity vary widely (Google: “you have to control the domain”, Twitter: “whatever, just paste in whatever URL we should redirect people to”), and none of them really make it clear how much access the service you’re authorizing really has. For example, the Google confirmation screen doesn’t make it clear that we get access to your email address, name, and profile pic. We need all that stuff, and it would be nice to have an opportunity to explain why on that screen, but it’s totally unclear to the person signing in. Way back when, Facebook used to expose all your friends when you granted this kind of sign in permission (they don’t anymore), which was SUPER creepy and also completely not obvious to the person signing in. Add to all this the many security vulnerabilities that have popped up over the years in some of the software that mitigates this process, and the vulnerability of losing access to all kinds of services just by getting locked out of one service, and you’ve got a generally not great situation. I understand the belief that Google can protect your privacy better than iNat can (I think that belief is well-founded), but I think the best response to that is to use a unique and strong password for your iNat account. Ok, end rant.

5 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.