Google OAuth WildCard Domains

I am using the google auth but keep getting an origin mismatch. The project I am working has sub domains that are generated by the user. So for example there can be:

In my app settings I have one of my origins being http://* but I get an origin mismatch. Is there a way to solve this? Btw my code looks like this:

  • Vuejs global function with Google Auth Signin
  • How to let anonymous users edit a Google Drive Realtime document?
  • Google authentication javascript
  • How to verify google auth token at server side in node js?
  • How to determine if google auth2.signIn() window was closed by the user?
  • Google Login Hitting Twice?
  •  gapi.auth.authorize({
                            client_id : '',
                            scope : ['',
    state: '', 
    '', ''],
                            immediate : false
                        }, function(result) {
                            if (result != null) {
                                gapi.client.load('oath2', 'v2', function() {
                                    gapi.client.oauth2.userinfo.get().execute(function(resp) {

  • How to verify google auth token at server side in node js?
  • Google Login fail with youtube accounts
  • Google plus signin does not return id_token
  • Google Login Hitting Twice?
  • How to determine if google auth2.signIn() window was closed by the user?
  • Allow user to login with chosen Google account within an iframe (Chrome Extension)
  • 2 Solutions collect form web for “Google OAuth WildCard Domains”

    Hooray for useful yet unnecessary workarounds (thanks for complicating yourself into a corner Google)….

    I was using Google Drive using the javascript api to open up the file picker, retrieve the file info/url and then download it using curl to my server. Once I finally realized that all my wildcard domains would have to be registered, I about had a stroke.

    What I do now is the following (this is my use case, cater it to yours as you need to)

    1. On the page that you are on, create an onclick event to open up a new window in a specific domain ({some unique token}).

    2. On the new popup I did all my google drive authentication, had a button to click which opened the file picker, then retrieved at least the metadata that I needed from the file. Then I stored the token (primary key), access_token, downloadurl and filename in my database (MySQL).

    3. Back on step one’s page, I created a setTimeout() loop that would run an ajax call every second with that same unique_token to check when it had been entered in the database. Once it finds it, I kill the loop and then retrieve the contents and do with them as I will (in this case I uploaded them through a separate upload script that uses curl to fetch the file).

    This is obviously not the best method for handling this, but it’s better than entering each and every subdomain into googles cloud console. I bet you can probably do this with googles server side oauth libraries they use, but my use case was a little complicated and I was cranky cause I was frustrated at the past 4 days I’ve spent on a silly little integration with google.

    Wildcard origins are not supported, same for redirect URIs.

    The fact that you can register a wildcard origin is a bug.

    You can use the state parameter, but be very careful with that, make sure you don’t create an open redirector (an endpoint that can redirect to any arbitrary URL).