Did you try to add a breakpoint on the microflow that resolves the user account to see what this is returning? Another option would be to set the loglevels of the oauth module to trace to get some more information on the data being transferred. But my guess is that the user information that google or facebook is returning does not resolve to a user and you therefore get the unauthorized message.
You'll need to change the scoping of the request to the identity provider. Currently the scope is narrow, to disclose only account info. When broadening the scope you should be able to get the friends list and process that to mendix entities. If you want the anonymous user to log in change the microflow that now retrieves the user to one that will create the user if the user could not be found and return the newly created user. Or alternatively don't return the user but create a page that can be accessed by an anonymous user. This all depends on the functionality required by your app. For scoping the request this is a good starting point for google: https://developers.google.com/accounts/docs/OAuth2
Awesome Erwin! Thanks for your insight. . We appreciate your time developing this module. It really helped us alot. You were right, the user information that facebook returned didn't resolve to a user. We are actually developing a mobile app where the facebook and google is our standard login. So when an anonymous user logs in, we should be able to get their friends list and contacts. How should we approach this ?