Tip: If you see "Access blocked" in the browser, try opening this URL in an incognito window and signing in with the correct account. #586
Description
Solution / Workaround
The OAuth URL generated by
gwsis actually valid (it does includeresponse_type=code). The misleading error comes from Google rejecting the request before parsing the full URL, because the wrong Google account session was active in the browser.In my case:
- The OAuth app was configured as Internal (Google Workspace org only)
- My browser's default session was a personal
@gmail.comaccount (outside the org)- Google blocked the flow with the generic "Required parameter is missing: response_type" error instead of saying "this account is not part of this organization"
Fix: Open the OAuth URL in an incognito/private browser window and sign in with the correct Workspace account. The
login_hintparameter in the URL suggests the right account, but it doesn't override the browser's active session.Suggestion for gws
It might be worth adding a note in the
gws auth loginoutput like:Tip: If you see "Access blocked" in the browser, try opening this URL in an incognito window and signing in with the correct account.This would save users from debugging a red herring.