您要求的網頁目前未提供您的語言版本。只要使用 Google Chrome 內建的翻譯功能,就可以立即將網頁翻譯成您想要的語言。
Sep 21, 2023

Google warning - Deceptive site ahead on OAuth2 authorization code grant flow

We have implemented OAuth2 and using the authorization code grant flow. Some users get the red screen of google which says deceptive ahead.

On request number 5 sometimes users receive the deceptive site ahead warning. In the google search console I have no information regarding it and I can just report it as false flag. Then google flags it as solved but few days later it's back. In the google search console i have 0 information whats up:


 think the issue is that google think this code parameter here is malicious code, it always happens on that particular call.

def5020055a6848bbf81a98451efba202234241ae4d309b9308bd565290ad88cd61f07253fe660f70274ce1e8b501763fdfe02f6fe9d4b563bf880eef9d1638a89657d6cd3538b1c44a9d78a9e1ebffd103985b6ce7d680719bd35b5cb73ce0a71090498ea7894620a5395ea646186808d2ba7185840d57a34706a923c4ce9aa454da7ab4f27ea8dfa223973dae5a41f1db2fa054012c8e58e1e202d59f86f044c0558af1e48d10ad4ad78fc539a1cc3bc5d273f7e331d91f5cc39f0b68e60828490160c4dd5d70244f0b4799c90925c57306196ab6d900257fecffe0310799f70b9088e9bca0ea52e0173d499535ea845497316f5f99e50e3f994048ef6d615dff61559cd8889670e987e42c797ac6305a2b8a5d8aabc564bbec9eedd85d87dd39ddaccdb4fe9761e9e968b5cacf89e8e6b5868c3ad82f0422c8b5426094dcb11796b7be288deff11c1dd672121d7499bed88aee540a934d6c714a903941460f025767c2cd90837384bcfff89e068f45b8e680b5a3f4da93b68139014253130493d5a5acdcde9f56445300d74277b6c12e6d0045e243ec6bbc29eee26c0ba05b306badb8424aea150505

  1. 302 https://auth.myapp.com/
  2. 302 https://login.myapp.com/login?identifier=demo2
  3. 302 https://auth.myapp.com/consent?code_challenge_method=S256&state=a2f1dc186493cfec4c01d8956f1b851c&scope=&response_type=code&approval_prompt=auto&redirect_uri=https://login.myapp.com/connect/kauth/check?identifier%3Ddemo2&client_id=myapp
  4. 302 https://auth.myapp.com/authorize?code_challenge_method=S256&state=a2f1dc1864adscfec4c01d8956f1b851c&scope=&response_type=code&approval_prompt=auto&redirect_uri=https://login.myapp.com/connect/kauth/check?identifier%3Ddemo2&client_id=myapp
  5. On this request the error happens: 302 https://login.myapp.com/connect/kauth/check?identifier=demo2&code=def5020055a6848bbf81a98451efba202234241ae4d309b9308bd565290ad88cd61f07253fe660f70274ce1e8b501763fdfe02f6fe9d4b563bf880eef9d1638a89657d6cd3538b1c44a9d78a9e1ebffd103985b6ce7d680719bd35b5cb73ce0a71090498ea7894620a5395ea646186808d2ba7185840d57a34706a923c4ce9aa454da7ab4f27ea8dfa223973dae5a41f1db2fa054012c8e58e1e202d59f86f044c0558af1e48d10ad4ad78fc539a1cc3bc5d273f7e331d91f5cc39f0b68e60828490160c4dd5d70244f0b4799c90925c57306196ab6d900257fecffe0310799f70b9088e9bca0ea52e0173d499535ea845497316f5f99e50e3f994048ef6d615dff61559cd8889670e987e42c797ac6305a2b8a5d8aabc564bbec9eedd85d87dd39ddaccdb4fe9761e9e968b5cacf89e8e6b5868c3ad82f0422c8b5426094dcb11796b7be288deff11c1dd672121d7499bed88aee540a934d6c714a903941460f025767c2cd90837384bcfff89e068f45b8e680b5a3f4da93b68139014253130493d5a5acdcde9f56445300d74277b6c12e6d0045e243ec6bbc29eee26c0ba05b306badb8424aea150505&state=a2f1dc186493cfec4c01d8956f1b851c

My site does not have any harmful code or content included.
Locked
This question is locked and replying has been disabled.
Community content may not be verified or up-to-date. Learn more.
All Replies (3)
Sep 21, 2023
Use 301 redirects, not 302.

Thanks.
Sep 21, 2023
Yes, 302 is correct for oAuth - as noted they are temporally redirects the destination does change. 

Most times when content is moved, 301 is more correct. But in situations like this 302 is more correct. 



(can't help why might get warning about deceptive site, but it usually when the login page looks similar to a popular site, ie the user might enter the wrong details not realizing it not hte site they think it is) 
Sep 21, 2023
This is also not the case, this application is a SaaS and has been up for 9years without any issues, the issue also happens during the login process and not on the initial login screen. The login screen is also developed with our own CI. There's nothing which looks similar than ours.
Last edited Sep 21, 2023
Sep 27, 2023
bump, how can it be that nobody from 200k of google employees can tell me what's up and why I have been flagged as deceptive site?
Sep 27, 2023
Have just noticed there is a contact button at the very bottom of


Sep 27, 2023
wrote them a ticket will see what they say :-) didn't see that button thanks

Oct 23, 2023
bump 

This issue comes back with an interval of around 3 weeks. I report it as false flag, google removes it but I do not get any information why it's happening. Very frustrating situation.
The answer from them is the following:
"I apologise that we cannot provide you with more information on the issue."
Oct 23, 2023
Google are very cagy about revealing details. As they dont want spammers to learn how the detection works. 

If Google are unable to provide details, then we definitly wont be able to provide anything more (other than guesses) 
Oct 23, 2023
Well the irony of it is that they redirect you to the community centre ;-)

"I apologise that we cannot provide you with more information on the issue. To learn more about how to keep your website safe, check this documentation. Thank you for understanding
For additional help with your specific issue, I recommend you to contact our Search Central Community or check our Help documentation."

Well i get zero information what this is about, i don't have an example site nor any clue if the issue is on a redirect or a parameter or WHY it's been flagged. It's just incredible frustrating.

This is not a hobby project, it's a site which has 100k+ requests per day.


false
18005080463176524617
true
Search Help Center
true
true
true
true
true
83844
Search
Clear search
Close search
Main menu
false