Google OAuth Authentication suddenly fails and issues "disabled_client"

android oauth google-api google-oauth

25,334

In the meantime we found out, that our Android App was removed from the Play Store and we got following notification:

This is a notification that your application, <...>, with package ID <...>, has been removed from the Google Play Store. REASON FOR REMOVAL: Violation of the Personal and Confidential Information provision of the Content Policy.Please refer to the policy help article for more information.

We don't allow unauthorized publishing or disclosure of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, non-public contacts, or any other information that is not publicly accessible.

We are very careful about the data inside our application and we take privacy and security extremely seriously as the hole app is about security and our customer's trust is absolutely essential. However, we recently introduced a feature that periodically sends the LogCat output to our servers for debugging reasons. Our app is in an early preview state which we make clear in the app description. It's used by a very limited number of people as it can only be used with a special piece of hardware we provide. The LogCat output only contains data from the app itself, no confident data of any kind. We published a couple of related apps and not all have the feature even included but all were suspended. However, we guess that this feature is the reason for removing.

Edit In the meantime we wrote an appeal via the form provided on Google Play. The ban was removed from Google Play and the related Google OAuth Client shortly after.

We were informed, that our App collects names of running tasks and sends them to our servers, which is not the case. However, we used the crittercism library and the crittercism docs suggest to require the "GET_TASKS" permission, what we did. I don't think, that Crittercism is considered as dangerous as it's used by lots of applications. But maybe the combination of a Logging Service on the one hand and the GET_TASKS permission on the other hand, although not dangerous in our case, triggered some automatic rules at Google.

To fix this we simply removed Crittercism and all related permission requirements as it wasn't very useful for us anyways.

25,334

Author by

MarkusM

Passionate about software development, in all kinds of languages on all kinds of platforms. From globally scaleable to tiny embedded. From bit-shifting to UX design. From hacking hands on to managing a company. All this goes into my wonderful position as CTO at Tapkey.

Updated on July 09, 2022

Comments

MarkusM almost 2 years
We run a web application with a Java Script- and an Android front end. We use Google IDs with OAuth for authentication. Everything worked find until today authenticaiton suddenly stopped working. There was no new software version deployed or any operational changes. Now, when a user tries to log on via the browser application, Google issues
```
401. That’s an error.
Error: disabled_client
The OAuth client was disabled.
Request Details
  scope=openid profile email
  response_type=code
  redirect_uri=https://***.net/signin-google
  state=***
  client_id=******.apps.googleusercontent.com
That’s all we know.
```
When logging in via Android App, authentication fails too, GoogleAuthUtil.getToken raises an unspecific exception.

I couldn't find much information when googling for this error message. Some say, one should try to change the application name in the consent screen. This didn't help in my case.

In developer console I noticed, that I cannot create a new Client ID for this project. I always get a technical error ("Server Error Whoops! Our Bad.") with a tracking number. Seems to be related.

I have a total of 7 Client IDs registered for this project and 3 public API access keys.

Is it possible, that Google explicitly disabled our project? That's how it actually feels. For what reason? I didn't get any notification. Our product is an application for access control, nothing special or illegal here.

Any ideas? This is a production environment, so for us the problem is absolutely severe.

Thanks for any help!
Juniper almost 10 years

Just to confirm that this is correct answer. I also experiencing absolutely the same issue and have been banned in Google OAuth just after my app was removed from Google Play. In my case reason for removal is violation of Ad Policy so I do not think that reason of removal plays big role in this case. I assume that Google automatically bans related OAuth account. Have you found how to overcome this issue?
David Wilkins almost 8 years

Is this common? 2 years later this starts for me