invalid_request on token request

[ErikRas]

My post parameters to https://accounts.google.com/o/oauth2/token look like:

client_id=[my key]

client_secret=[my secret]

code=kACAH-1Ng0E77DwxXZTJLhAR9RRt6D4u97Be0EzcFZVLCL5AhDSnFBaHo5xV1F7ZIatf79bAmhxMh-TMBAh4gUbVEcBOT_uiD4gm4vXCASa5vUlL3E19m4Bjrk

redirect_uri=http://www.mywebsite.com:8080/oa/google/success

grant_type=authorization_code

And the response I get back is:

{

  "error" : "invalid_request"

}

Any ideas what I'm doing wrong? From what I can tell I'm following the instructions properly. The call to auth works fine, and I've tried url encoding the parameters, which makes no difference.

What a weak and uninformative error message... :-(

Any help would be most appreciated!

[Marius Scurtescu]

Hi Erik,

Is Content-Type set properly?

Can you try using curl?

Marius

[ErikRas]

I can, yes.

* About to connect() to accounts.google.com port 443 (#0)

*   Trying 74.125.132.84... connected

* Connected to accounts.google.com (74.125.132.84) port 443 (#0)

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSL connection using RC4-SHA

* Server certificate:

* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=accounts.google.com

* start date: 2011-07-21 00:00:00 GMT

* expire date: 2013-07-18 23:59:59 GMT

* common name: accounts.google.com (matched)

* issuer: C=ZA; O=Thawte Consulting (Pty) Ltd.; CN=Thawte SGC CA

* SSL certificate verify ok.

> POST /o/oauth2/tokeninfo HTTP/1.1

> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5

> Host: accounts.google.com

> Accept: */*

> Content-Length: 333

> Content-Type: application/x-www-form-urlencoded

> 

< HTTP/1.1 400 Bad Request

< Cache-Control: no-cache, no-store, max-age=0, must-revalidate

< Pragma: no-cache

< Expires: Fri, 01 Jan 1990 00:00:00 GMT

< Date: Thu, 10 May 2012 14:28:03 GMT

< Content-Type: application/json

< X-Content-Type-Options: nosniff

< X-Frame-Options: SAMEORIGIN

< X-XSS-Protection: 1; mode=block

< Server: GSE

< Transfer-Encoding: chunked

< 

{

  "error" : "invalid_request"

* Connection #0 to host accounts.google.com left intact

* Closing connection #0

* SSLv3, TLS alert, Client hello (1):

I don't see much new information here. Is application/x-www-form-urlencoded not the correct content type?

Regards,

Erik

[Marius Scurtescu]

You are posting to the wrong endpoint, tokeninfo and not to token.

From the output below:
>> POST /o/oauth2/tokeninfo HTTP/1.1

Marius

[ErikRas]

Neither works. I've tried both.

* About to connect() to accounts.google.com port 443 (#0)

*   Trying 173.194.67.84... connected

* Connected to accounts.google.com (173.194.67.84) port 443 (#0)

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSL connection using RC4-SHA

* Server certificate:

* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=accounts.google.com

* start date: 2011-07-21 00:00:00 GMT

* expire date: 2013-07-18 23:59:59 GMT

* common name: accounts.google.com (matched)

* issuer: C=ZA; O=Thawte Consulting (Pty) Ltd.; CN=Thawte SGC CA

* SSL certificate verify ok.

> POST /o/oauth2/token HTTP/1.1

> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5

> Host: accounts.google.com

> Accept: */*

> Content-Length: 333

> Content-Type: application/x-www-form-urlencoded

> 

< HTTP/1.1 400 Bad Request

< Cache-Control: no-cache, no-store, max-age=0, must-revalidate

< Pragma: no-cache

< Expires: Fri, 01 Jan 1990 00:00:00 GMT

< Date: Thu, 10 May 2012 16:11:09 GMT

[ErikRas]

I finally got it to work. I had an extraneous state parameter that I was passing as a query parameter from back when I was desperately trying every combination of things. Removing that and using token instead of tokeninfo seems to have fixed my problems.

Thanks for your help, Marius!

[Marius Scurtescu]

On Thu, May 10, 2012 at 10:46 AM, ErikRas <rasmus...@gmail.com> wrote:
> I finally got it to work. I had an extraneous state parameter that I was
> passing as a query parameter from back when I was desperately trying every
> combination of things. Removing that and using token instead of tokeninfo
> seems to have fixed my problems.
>
> Thanks for your help, Marius!

Glad it works. I'll look into adding the actual validation condition
(unexpected state parameter in this case) to the error response.

Marius

[Patrick Rodjito]

I'm having a very similar issue. Got auth to work but not token. Any help would be very appreciated.

I guess I don't understand why I have to POST since everything that I'm sending is in the parameters not in the request body... But anyway this is what I'm doing:

I'm POSTing with application/x-www-form-urlencoded content type. I tried application/json and it doesn't work either.

This is the URL I'm trying to post to:
https://accounts.google.com/o/oauth2/token?code=mycode&client_id=myclientid&client_secret=myclientsecret&redirect_uri=https://ec2-184-169-129-39.us-west-1.compute.amazonaws.com:8443/GoogleService/CallbackHandler&grant_type=authorization_code

If I try to use GET instead of POST I get invalid http method error.

If I try to use POST but don't include a request body I will get 411.

So I'm using POST and include the number 0 in the request body just for the sake of having a request body, but I'm getting 400 Bad Request.

My java code looks something like this:

                URL url = new URL(loginBaseUrl + "/token?code=" + code[0] + "&client_id=" + consumerKey + "&client_secret=" + consumerKeySecret + "&redirect_uri=" + serviceBaseUrl + "/CallbackHandler&grant_type=authorization_code");
                httpUrlConnection = (HttpURLConnection)url.openConnection();
                httpUrlConnection.setDoInput(true);
                httpUrlConnection.setDoOutput(true);
                httpUrlConnection.setRequestMethod("POST");
                httpUrlConnection.setRequestProperty("Content-Type","application/x-www-form-urlencoded");
               
                httpUrlConnection.setDoOutput(true);
                OutputStream os =  httpUrlConnection.getOutputStream();
                os.write(0);
               
                httpUrlConnection.connect();
               
                responseCode = httpUrlConnection.getResponseCode();
                responseMessage = httpUrlConnection.getResponseMessage();

Thanks!

[Marius Scurtescu]

Hi Patrick,

You should put all parameters in the request body, not in the query string.

When asking for help, please provide complete response from server.
HTTP headers and response body.

Cheers,
Marius

[Patrick Rodjito]

I see.. thanks! Can I use JSON? If so, I assume I have to change the content type to application/json? Also can you please provide a JSON request sample body just to be absolutely clear?

[Marius Scurtescu]

No, you cannot use JSON with the request, it must be a form-encoded
request (application/x-www-form-urlencoded).

Only responses are JSON. That's the OAuth 2 spec.

Marius


>
> --
> You received this message because you are subscribed to the Google Groups
> "oauth2-dev" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/oauth2-dev/-/j9YLQYMBOtkJ.
> To post to this group, send email to oauth...@googlegroups.com.
> To unsubscribe from this group, send email to
> oauth2-dev+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/oauth2-dev?hl=en.

[Patrick Rodjito]

Oh ok, thanks for the clarification. Form-encoded works for me too.

[Shafaqat Ali]

On Friday, 11 May 2012 02:12:15 UTC+5, Patrick Rodjito wrote:

I see.. thanks! Can I use JSON? If so, I assume I have to change the content type to application/json? Also can you please provide a JSON request sample body just to be absolutely clear?

Hi Patrick ,
can you plz post your complete solution i am having the same issue and stuck for a week plz do reply.
 

[Alex Deva]

Salut Marius,

I'm having the same issue. When I send out a request with this header:

{ "accept"=>["*/*"], "user-agent"=>["Ruby"], "content-type"=>["application/x-www-form-urlencoded"], "connection"=>["close"], "host"=>["accounts.google.com"], "content-length"=>["318"] }

(Ruby hash notation), to this URL: https://accounts.google.com/o/oauth2/token containing this POST data:

code=kACAH-1Ng2Sg81rXEDkgMX1GPeT8PDduuYqAAW6YyfsmMRREtbiIX7Y_bnisHBZUSMtUud_a0Vff2IwoIygLzd8iqAyulaJ4KuOzm500WmmmXjbP3QuEtOn9FU&client_id=[FILTERED]&client_secret=[FILTERED]&grant_type=authorization_code&redirect_url=http%3a%2f%2flocalhost%3a8080%2fpublic%2fg_login_callback

I get a response with these headers (again pasted here as a Ruby hash):

{"cache-control"=>["no-cache, no-store, max-age=0, must-revalidate"], "pragma"=>["no-cache"], "expires"=>["Fri, 01 Jan 1990 00:00:00 GMT"], "date"=>["Mon, 25 Jun 2012 16:27:59 GMT"], "content-type"=>["application/json"], "x-content-type-options"=>["nosniff"], "x-frame-options"=>["SAMEORIGIN"], "x-xss-protection"=>["1; mode=block"], "server"=>["GSE"], "connection"=>["close"]}

and this response:

{

  "error" : "invalid_request"

}

Any idea what I'm doing wrong?

Mulțumesc,

  Alex

On Friday, May 11, 2012 12:30:41 AM UTC+3, Marius Scurtescu wrote:

On Thu, May 10, 2012 at 2:12 PM, Patrick Rodjito
<patrick...@gmail.com> wrote:
> I see.. thanks! Can I use JSON? If so, I assume I have to change the content
> type to application/json? Also can you please provide a JSON request sample
> body just to be absolutely clear?

No, you cannot use JSON with the request, it must be a form-encoded
request (application/x-www-form-urlencoded).

Only responses are JSON. That's the OAuth 2 spec.

Marius


>
> --
> You received this message because you are subscribed to the Google Groups
> "oauth2-dev" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/oauth2-dev/-/j9YLQYMBOtkJ.
> To post to this group, send email to oauth...@googlegroups.com.
> To unsubscribe from this group, send email to

> oauth2-dev+unsubscribe@googlegroups.com.

[Breno de Medeiros]

On Mon, Jun 25, 2012 at 9:31 AM, Alex Deva <alexand...@gmail.com> wrote:
> Salut Marius,
>
> I'm having the same issue. When I send out a request with this header:
>
> { "accept"=>["*/*"], "user-agent"=>["Ruby"],
> "content-type"=>["application/x-www-form-urlencoded"],
> "connection"=>["close"], "host"=>["accounts.google.com"],
> "content-length"=>["318"] }
>
> (Ruby hash notation), to this
> URL: https://accounts.google.com/o/oauth2/token containing this POST data:
>
> code=kACAH-1Ng2Sg81rXEDkgMX1GPeT8PDduuYqAAW6YyfsmMRREtbiIX7Y_bnisHBZUSMtUud_a0Vff2IwoIygLzd8iqAyulaJ4KuOzm500WmmmXjbP3QuEtOn9FU&client_id=[FILTERED]&client_secret=[FILTERED]&grant_type=authorization_code&redirect_url=http%3a%2f%2flocalhost%3a8080%2fpublic%2fg_login_callback
>
> I get a response with these headers (again pasted here as a Ruby hash):
>
> {"cache-control"=>["no-cache, no-store, max-age=0, must-revalidate"],
> "pragma"=>["no-cache"], "expires"=>["Fri, 01 Jan 1990 00:00:00 GMT"],
> "date"=>["Mon, 25 Jun 2012 16:27:59 GMT"],
> "content-type"=>["application/json"], "x-content-type-options"=>["nosniff"],
> "x-frame-options"=>["SAMEORIGIN"], "x-xss-protection"=>["1; mode=block"],
> "server"=>["GSE"], "connection"=>["close"]}
>
> and this response:
>
> {
>   "error" : "invalid_request"
> }
>
> Any idea what I'm doing wrong?

The name of the OAuth2 parameter is redirect_uri, not redirect_url.
However, I am afraid there are additional encoding issues because when
a required parameter is missing, the response typically indicates
that. "Request invalid" is reserved for requesting parsing failures
(typically caused by encoding issues), when we don't have enough
information to generate a more helpful response. However, it may be
that there's a bug with our error reporting. In the meantime, try
replacing redirect_url with redirect_uri in this request.

>
> Mulțumesc,
>
>   Alex
>
>
> On Friday, May 11, 2012 12:30:41 AM UTC+3, Marius Scurtescu wrote:
>>
>> On Thu, May 10, 2012 at 2:12 PM, Patrick Rodjito
>> <patrick...@gmail.com> wrote:
>> > I see.. thanks! Can I use JSON? If so, I assume I have to change the
>> > content
>> > type to application/json? Also can you please provide a JSON request
>> > sample
>> > body just to be absolutely clear?
>>
>> No, you cannot use JSON with the request, it must be a form-encoded
>> request (application/x-www-form-urlencoded).
>>
>> Only responses are JSON. That's the OAuth 2 spec.
>>
>> Marius
>>
>>
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "oauth2-dev" group.
>> > To view this discussion on the web visit
>> > https://groups.google.com/d/msg/oauth2-dev/-/j9YLQYMBOtkJ.
>> > To post to this group, send email to oauth...@googlegroups.com.
>> > To unsubscribe from this group, send email to

>> > oauth2-dev+...@googlegroups.com.

>> > For more options, visit this group at
>> > http://groups.google.com/group/oauth2-dev?hl=en.
>

> --
> You received this message because you are subscribed to the Google Groups
> "oauth2-dev" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/oauth2-dev/-/ZqBAGeDPL2gJ.

>
> To post to this group, send email to oauth...@googlegroups.com.
> To unsubscribe from this group, send email to

> oauth2-dev+...@googlegroups.com.

> For more options, visit this group at
> http://groups.google.com/group/oauth2-dev?hl=en.

--
--Breno

[Alex Deva]

I changed the name of that parameter and now it's working, thank you. Apparently the error response didn't indicate that, although it would've been helpful. Could that be because redirect_url is optional anyway?

Thank you.

>> > oauth2-dev+unsubscribe@googlegroups.com.

>> > For more options, visit this group at
>> > http://groups.google.com/group/oauth2-dev?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "oauth2-dev" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/oauth2-dev/-/ZqBAGeDPL2gJ.
>
> To post to this group, send email to oauth...@googlegroups.com.
> To unsubscribe from this group, send email to

> oauth2-dev+unsubscribe@googlegroups.com.

[Jonathan Shaltz]

Yes, PLEASE!  I've spent hours on this problem, probably hundreds of other people have as well.  Explicit error reporting should be part of a project's spec, not an afterthought tacked on later if there's time.

[Manoj Vivek]

hi,

Really spent hours in this "invalid_request" error, but still couldn't figure out why the error happened.

Could anybody spot the error in this please?

Curl URL : 

curl -v -k --header "Content-Type: application/x-www-form-urlencoded" --data-urlencode"code=4%2F6tZqyruf50fo_LqPZn717iWiomu4.soPrGkm4E7cWgrKXntQAax36SRoBegI&client_id=[my_id]&client_secret=[my_secret]&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Fauth&grant_type=authorization_code" https://accounts.google.com/o/oauth2/token

Curl response:

* About to connect() to accounts.google.com port 443 (#0)

*   Trying 74.125.128.84... connected

* SSLv3, TLS handshake, Client hello (1):

* SSLv3, TLS handshake, Server hello (2):

* SSLv3, TLS handshake, CERT (11):

* SSLv3, TLS handshake, Server finished (14):

* SSLv3, TLS handshake, Client key exchange (16):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSLv3, TLS change cipher, Client hello (1):

* SSLv3, TLS handshake, Finished (20):

* SSL connection using RC4-SHA

* Server certificate:

*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=accounts.google.com

*        start date: 2013-01-03 12:13:04 GMT

*        expire date: 2013-06-07 19:43:27 GMT

*        subjectAltName: accounts.google.com matched

*        issuer: C=US; O=Google Inc; CN=Google Internet Authority

*        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

> POST /o/oauth2/token HTTP/1.1

> User-Agent: curl/7.23.1 (x86_64-pc-win32) libcurl/7.23.1 OpenSSL/0.9.8r zlib/1.2.5

> Host: accounts.google.com

> Accept: */*

> Content-Type: application/x-www-form-urlencoded

> Content-Length: 275

>

* upload completely sent off: 275 out of 275 bytes

< HTTP/1.1 400 Bad Request

< Cache-Control: no-cache, no-store, max-age=0, must-revalidate

< Pragma: no-cache

< Expires: Fri, 01 Jan 1990 00:00:00 GMT

< Date: Fri, 22 Feb 2013 06:29:26 GMT

< Content-Type: application/json

< X-Content-Type-Options: nosniff

< X-Frame-Options: SAMEORIGIN

< X-XSS-Protection: 1; mode=block

< Server: GSE

< Transfer-Encoding: chunked

<

{

  "error" : "invalid_request"

}* Connection #0 to host accounts.google.com left intact

* Closing connection #0

* SSLv3, TLS alert, Client hello :

Any possible mistake here?

-Manoj Vivek

[Benjamin Carl Wiley Sittler]

Try using  --data rather than  --data-urlencode — otherwise I believe the POST data will be doubly-encoded.

--
You received this message because you are subscribed to the Google Groups "Developer Forum for Google API Access using OAuth2" group.
To unsubscribe from this group and stop receiving emails from it, send an email to oauth2-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Manoj Vivek]

hi Benjamin,

Using --data alone gives me "invalid_grant" error..

means my authorization code wrong or?

-Manoj Vivek

[Benjamin Carl Wiley Sittler]

Try again with a fresh "code". Also double-check to ensure the redirect_uri and client_id exactly match those given during the end-user authorization step, and that the client_secret you're using is the correct one for your client_id. Should that fail, I also recommend double-checking your implementation against the documentation: https://developers.google.com/accounts/docs/OAuth2WebServer#handlingtheresponse

[Manoj Vivek]

Ya that Worked!! in Curl.

But in my implementation it still says "invalid_request"..

Think of a reason here? 

Using Apache HttpComponents

           HttpPost post = new HttpPost("https://accounts.google.com/o/oauth2/token");

          HttpParams params = new BasicHttpParams();

params.setParameter("code", code);

params.setParameter("client_id", client_id);

params.setParameter("client_secret", client_secret);

params.setParameter("redirect_uri", redirect_uri);

params.setParameter("grant_type", grant_type);

post.addHeader("Content-Type", "application/x-www-form-urlencoded");

post.setParams(params);

             DefaultHttpClient httpClient = new DefaultHttpClient();

             HttpResponse response = httpClient.execute(post);

Also tried Encoding params with UTF-8  .. 

Any help would be appreciated..

-Manoj Vivek

[Benjamin Carl Wiley Sittler]

Use a fresh "code", and make sure the "code" you are using is not one which has been exchanged previously. Also ensure once again that the redirect_uri, client_id, client_secret, and grant_type exactly match the correct values.

And finally, I'm unfamiliar with Apache HttpComponents, but if possible check to make sure parameters aren't being encoded multiple times — I suspect setParameters expects its arguments to be unencoded.

[Tim Bray]

I’d bet that Ben’s right and you have a URLencoding problem.  I see this all the time. -T

[Manoj Vivek]

Hi Banjamin, Tim,

Tweeked all around with and without url encoding.. All Negative.. 

Is there a standard way to do this? or is there any flaws with the way i do?

-Manoj Vivek

[Manoj Vivek]

Got it solved.. 

Implementation problem. Changed the parameter sending method from HttpParams to UrlEncodedFormEntity

Thanks All!

-Manoj Vivek