To further enhance Happeo’s security and simplify our codebase, we are changing the OAuth client ID used for the Google login. To ensure a smooth transition, some Happeo customers will need to take action. Please read more below.
To keep Happeo secure and our application verified by Google, we are continuing the rollout of using the new OAuth ID for Google Login. We started this rollout in the beginning of 2024 and we are now doing a final update to all the custom login pages to use the new OAuth ID. Once the rollout is complete, we will delete the old OAuth App.
This is a final reminder before our last rollout to customers using custom login pages.
Customers who have configured their Google Workspace to only allow a list of trusted applications to use Google API will need to add the new OAuth App to the trusted list of OAuth apps.
If you are affected, we request you add the new OAuth App to the trusted list in your Google Workspace by the 20th of September 2024.
How to check if you need to take action?
- If you do not have a custom login page, you are not affected by this change (see below how to identify). No action is required.
- If you are able to log in via app.happeo.com, you are not affected. No action is required.
- If when you try to log in via app.happeo.com, the login fails with an admin_policy_enforced error, then you are affected by this change. Please read on, and take the action described below.
If you are affected, please do the following:
Your Google Workspace (GW) admin must complete the steps below. If you aren't the GW admin in your organization, please reach out to your IT team to find the right person and instruct them to follow the steps below. Otherwise, your users may see an admin_policy_enforced error when trying to log into Happeo. You can also watch a video walkthrough here.
- Go to your Google Workspace administration console (admin.google.com)
- Go to the left-side menu: Security > Access and Data control > API Controls
- Click on “Manage Third-Party App Access” in the App Access Control section
- Go to Add App > OAuth App Name Or Client ID and enter the client ID 864973362227-bi2n964lskaoae1kmvfrvd7da99kdg8l.apps.googleusercontent.com and click Search
- Select the Happeo app in the results and continue with the workflow
- On the screen where it asks for the type of access to be configured, select “Trusted”
- Continue the workflow to save the configuration
It may take a maximum of 24 hours for configuration to take effect.
After this change, a test login via app.happeo.com should be successful.
After the 30th of September you can remove the old OAuth App from the trusted list with the ID 138951613013-uqi3t23k2ktajekok62u75qk9umibrjf.apps.googleusercontent.com.
Caution: Removing the old OAuth App from the trusted list before our rollout will lead to login failure for your users.
If you have any questions or need support, please reach out to your Customer Success Manager. We are always happy to help.
Why are we making this change?
We are implementing the change in order to improve the security posture of our login flow, as a part of our continuous security enhancement practice. After the update, we will no longer store security tokens in our database, which is a more secure practice. This method is already used by customers who have configured and applied a custom login page. Although the current set-up used by the rest of our customers hasn’t caused any security issues, moving to the new login flow is a natural step towards modern SaaS security.
The update will also simplify our codebase. This will enable us to both build new features and fix bugs faster due to the reduced complexity.
You have configured a custom login page if:
- You access Happeo on your desktop through a URL that is not app.happeo.com
AND
- you see your own branded login page
In this case, you need to check if you can access Happeo via app.happeo.com. If the login fails with an admin_policy_enforced error, then you are affected by this change. Please take action as described above.
