Google Verification 403 Error

  • Resolved crackajax

    (@crackajax)


    7 years, 2 months ago

    After setting up the Google Mail API and returning to the plugin settings page to click the button, “Allow plugin to send emails using your Google account,” I cannot complete the transaction due to a 403 error on the auth link.

    1) Click the “Allow plugin to send emails using your Google account”
    2) Choose Google account and login
    3) App isn’t verified screen – Click “Advanced” and Go to domain link
    4) Click “Allow” for app the send email on your behalf
    5) The redirect to my site with the query string throws a 403 forbidden error
    6) if I remove the scope parameter (scope=https://www.googleapis.com/auth/gmail.send#) from the query string I can return to the page, but with the plugin error of “There was an error while processing the authentication request. Please try again.”

    I have refreshed my .htaccess file but am unsure why I would be receiving this error due to that parameter. After further testing, it is the presence of the “https://” causing the error. If I remove the https:// it goes through with all other parameters and values to the plugin page with plugin error. If I remove all other parameter and values except “?scope=https://” I receive the 403.

    Any ideas of why this parameter is being rejected and is there a workaround that you are aware of?

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Slava Abakumov

    (@slaffik)

    Hi @crackajax,

    Thanks for your awesome report!

    I suspect, that not only a ?scope=https:// string is blocked, but actually any ?string=https:// for security reasons.

    I’m 99% sure, that the issue is in mod_security Apache module (or similar thing) that is working on a server and filtering all requests. And, apparently, blocking some according to its rules.

    The solution is both simple and hard because you will need to contact your hosting company support and ask them to unblock such requests by modifying the server and that Apache module rules.

    Unfortunately, there is nothing we can do with that inside the plugin itself, as this request does not even reach our plugin code. You can check that by monitoring the Apache access_log, which should NOT have the record like this: 

    
https://example.com/wp-admin/options-general.php?page=wp-mail-smtp&tab=auth&code=123ads123sadf&scope=https://www.googleapis.com/auth/gmail.send

    I hope that help! Meanwhile, I’m marking this topic as resolved as the issue is in server configuration and the solution is to talk to a host support team.

    Thread Starter crackajax

    (@crackajax)

    Yes, you were correct. I disabled mod_security temporarily to complete the task. This got it going and then I re-enabled mod_security. Thanks!

    Wrong Post

    • This reply was modified 7 years, 1 month ago by sgarriel. Reason: Wrong Post

    Got the same behavior as TS saw. At least the 1) till 5) that is. But my solution was different.

    In my case a security plugin Bulletproof Security (BPS) rated the request from the Google authentication page as malicious and gave the 403. Security Log of BPS said so.

    Solution was to add a BPS Custom Code Skip Rule in the wp-admin htaccess file for the specific request that showed up in the security logs.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Google Verification 403 Error’ is closed to new replies.