Google API Errors

This guide covers errors specific to Google OAuth and Google Identity Services, providing detailed explanations and step-by-step solutions.

OAuth 2.0 Errors

Error 400: invalid_client

Full Message:

Error 400: invalid_client
The OAuth client was not found.

What It Means: Google can't find an OAuth client with the provided Client ID.

Causes:

1. Client ID is incorrect
2. Client ID has extra characters (spaces, newlines)
3. OAuth client was deleted
4. Wrong Google Cloud project

Solution:

1. Go to Google Cloud Console
2. Select your project (check you're in the right one!)
3. Go to APIs & Services > Credentials
4. Find your OAuth 2.0 Client ID
5. Click the copy icon to copy Client ID
6. In WordPress, go to Settings > OneTap Login
7. Clear the Client ID field completely
8. Paste the new Client ID (Ctrl+V)
9. Save Settings
10. Clear all caches

Verification:

Client ID format: 123456789-abc123def456.apps.googleusercontent.com

---

Error 400: redirect_uri_mismatch

Full Message:

Error 400: redirect_uri_mismatch
The redirect URI in the request, https://example.com/wp-json/onetap/v1/callback,
does not match the ones authorized for the OAuth client.

What It Means: The callback URL your site uses isn't in the allowed list.

Causes:

1. Redirect URI not added to Google Cloud
2. www vs non-www mismatch
3. HTTP vs HTTPS mismatch
4. Trailing slash mismatch

Solution:

1. Go to Google Cloud Console > Credentials
2. Edit your OAuth 2.0 Client ID
3. In Authorized redirect URIs, add:

   https://yourdomain.com/wp-json/onetap/v1/callback

4. If you use www, also add:

   https://www.yourdomain.com/wp-json/onetap/v1/callback

5. Save
6. Wait 5 minutes for propagation
7. Try again

Important: URIs must be exact matches - no trailing slashes, correct protocol.

---

Error 400: invalid_request

Full Message:

Error 400: invalid_request
Missing required parameter: client_id

What It Means: The authentication request is malformed or missing data.

Causes:

1. Plugin settings not saved
2. Cache serving old data
3. JavaScript error prevented proper initialization
4. Plugin conflict

Solution:

1. Go to Settings > OneTap Login
2. Re-enter Client ID and Client Secret
3. Click Save Changes
4. Clear all caches:
   • WordPress cache
   • Browser cache
   • CDN cache
5. Hard refresh the page (Ctrl+Shift+R)
6. Check browser console for JavaScript errors

---

Error 400: invalid_grant

Full Message:

Error 400: invalid_grant
Token has been expired or revoked.

What It Means: The authorization code or refresh token is no longer valid.

Causes:

1. Code expired (codes are single-use and expire quickly)
2. Clock skew between your server and Google
3. User revoked access
4. Refresh token limit exceeded

Solution:

1. Try again: Simply restart the sign-in flow
2. Check server time:

   date
   # Should match actual current time

3. Sync time if needed:

   sudo ntpdate -u time.google.com

4. Don't refresh during OAuth: Completing OAuth quickly

---

Error 401: invalid_client

Full Message:

Error 401: invalid_client
Unauthorized

What It Means: Client Secret is incorrect.

Causes:

1. Wrong Client Secret
2. Secret has extra whitespace
3. Secret was regenerated
4. Copied from wrong project

Solution:

1. Go to Google Cloud Console > Credentials
2. Edit your OAuth 2.0 Client ID
3. Under Client Secret, click Reset Secret (if you can't find original)
4. WARNING: Resetting creates new secret and invalidates old one
5. Copy the new secret immediately (only shown once)
6. Update in Settings > OneTap Login
7. Save and test

---

Error 403: access_denied

Full Message:

Error 403: access_denied
The developer hasn't given you access to this app.

What It Means: Your app is restricted or OAuth consent screen not properly configured.

Causes:

1. App in "Testing" mode with limited test users
2. OAuth consent screen not configured
3. App verification required but not completed
4. User not in test users list

Solution:

For Development/Testing:

1. Go to APIs & Services > OAuth consent screen
2. If "Testing", add test users:
   • Click Add users
   • Enter Google emails of testers
   • Save

For Production:

1. Go to OAuth consent screen
2. Click Publish App
3. For sensitive scopes, may need verification
4. Review Google's app verification process

---

Error 403: access_denied (User Action)

Full Message:

Error 403: access_denied
The user denied access to the requested scope.

What It Means: User clicked "Cancel" or "Deny" on consent screen.

Causes:

1. User intentionally denied
2. User didn't understand the consent
3. Consent screen is confusing

Solution:

1. Ensure consent screen is clear:

   • Go to OAuth consent screen
   • Add clear app name
   • Add your logo
   • Write clear privacy policy
   • Explain why you need access

2. Request minimal scopes:

   • OneTap only needs email and profile
   • Don't request unnecessary permissions

---

Error 403: restricted_client

Full Message:

Error 403: restricted_client
The client is restricted and cannot request tokens.

What It Means: Your OAuth client has been restricted by Google.

Causes:

1. Suspicious activity detected
2. Terms of Service violation
3. Client flagged for abuse
4. Billing issue on Google Cloud

Solution:

1. Check Google Cloud Console for notifications
2. Review Google's emails about your project
3. Ensure compliance with OAuth policies
4. Contact Google Cloud support if needed
5. May need to create new OAuth client

---

Error 503: temporarily_unavailable

Full Message:

Error 503: temporarily_unavailable
The service is temporarily unavailable.

What It Means: Google's services are experiencing issues.

Causes:

1. Google outage
2. Maintenance window
3. Regional issues

Solution:

1. Check Google Cloud Status
2. Wait 15-30 minutes
3. Try again
4. If persistent, check other Google services

---

Google Identity Services Errors

These appear in browser console with [GSI_LOGGER] prefix.

Invalid origin for client

Console Message:

[GSI_LOGGER]: Invalid origin for client: CLIENT_ID.
Access blocked: This app's request is invalid.

What It Means: Your current domain isn't in Authorized JavaScript Origins.

Solution:

1. Go to Google Cloud Console > Credentials
2. Edit your OAuth client
3. Add to Authorized JavaScript origins:

   https://yourdomain.com
   https://www.yourdomain.com

4. Save and wait 5 minutes
5. Hard refresh your site

Note: Don't include paths or trailing slashes.

---

Cookie disabled

Console Message:

[GSI_LOGGER]: The given origin is not allowed for the given client ID.
Cookies are not enabled in current environment.

What It Means: Third-party cookies are blocked.

Causes:

1. Browser blocking third-party cookies
2. Privacy extension blocking cookies
3. Safari ITP blocking

Solution:

For One Tap:

• Use browsers with FedCM support (Chrome 117+)
• FedCM doesn't require third-party cookies

For Sign-In Button:

• Should work even without third-party cookies
• Uses popup flow which has different cookie requirements

---

FedCM: Provider is not eligible

Console Message:

[GSI_LOGGER]: FedCM is not available because provider is not eligible.

What It Means: FedCM can't be used in current context.

Causes:

1. Browser doesn't support FedCM
2. Site requirements not met
3. Google account state issue

Solution:

1. This is often informational, not fatal
2. GSI falls back to other methods
3. Ensure button sign-in still works
4. Update Chrome for better FedCM support

---

Missing required parameter

Console Message:

[GSI_LOGGER]: Missing required parameter: client_id

What It Means: Client ID not provided to Google scripts.

Solution:

1. Check Client ID is saved in settings
2. Clear all caches
3. Verify settings output in page source:

   <!-- Should see your Client ID in page HTML -->
   data-client_id="YOUR_CLIENT_ID.apps.googleusercontent.com"

---

Debugging Google Errors

Check Network Tab

1. Open Developer Tools (F12)
2. Go to Network tab
3. Filter by "google" or "oauth"
4. Look for failed requests (red)
5. Click to see response details

Check Console

1. Open Developer Tools
2. Go to Console tab
3. Look for [GSI_LOGGER] messages
4. Note any red error messages

Test OAuth Playground

Use Google's OAuth 2.0 Playground:

1. Go to https://developers.google.com/oauthplayground
2. Click gear icon
3. Enter your Client ID and Secret
4. Test the OAuth flow directly

Verify Configuration

Google Cloud Console checklist:

• Correct project selected
• OAuth consent screen configured
• OAuth client type is "Web application"
• JavaScript origins include your domain (HTTPS)
• Redirect URIs include callback URL
• APIs enabled: Google Identity Services

Common Configuration Mistakes

Mistake	Correct
http://example.com	https://example.com
https://example.com/	https://example.com
Missing www variant	Add both www and non-www
Trailing slash in redirect	No trailing slash
Wrong OAuth client type	Must be "Web application"
Scopes not matching	Request only needed scopes

Next Steps

• Common Issues - General troubleshooting
• Error Codes - All error codes
• Cloudflare - CDN issues
• Debug Mode - Enable logging