400 Error when re-authorizing adwords Oauth2.0

[Pere Kyle]

Since about the beginning of december the oauth flow for our app has been broken. It previously worked for ~3 months with no changes. It seems to have coincided with the new permission page for oauth and only affects functionality after an adwords token has been granted.

Steps to reproduce:

var clientId = 'ID.apps.googleusercontent.com';

var scopes = 'https://adwords.google.com/api/adwords/ https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email';

gapi.auth.authorize({client_id: clientId, scope: scopes, access_type: 'offline', response_type: 'code', prompt: 'select_account',authuser: -1}, handleAuthResult);

This flow works the first time and then subsequently fails even when not trying to auth an Adwords account:

var scopes = 'https://www.googleapis.com/auth/analytics.readonly https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email';

gapi.auth.authorize({client_id: clientId, scope: scopes, access_type: 'offline', response_type: 'code', approval_prompt: 'force', authuser: -1}, handleAuthResult);

After clicking on Adwords authorized account in account chooser

ERROR: "400. That's an error.

The page you requested is invalid. That's all we know."

In the google account permissions page if I auth GA first and then adwords it will only error after the adwords has been associated. I am desperate for a solution as I cannot seem to fix it on my end, it must be a change in the google permissions system.

[Pere Kyle]

This issue is still live, and it seems to only affect my oauth login when using the adwords scope.

[Pere Kyle]

Anyone?

[Danial Klimkin]

Hello Pere,

Do you get the same error if you provide *only* AdWords scope? Can you combine those calls to have a shared refresh token for both GA and AdWords API?

-Danial, AdWords API Team.

[Pere Kyle]

Daniel,

Anytime I request a adwords scope for an already authed adwords account I get a 400 error.

Tried

var scopes = 'https://adwords.google.com/api/adwords/';

gapi.auth.authorize({client_id: clientId, scope: scopes, access_type: 'offline', response_type: 'code', prompt: 'select_account',authuser: -1}, $scope.handleAuthResult);

And also:

var scopes = 'https://adwords.google.com/api/adwords/ https://www.googleapis.com/auth/analytics.readonly https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email';

The problem on my side is that our users are clicking these and seeing this error and I have no control over it since I dont know if they hold an auth token already. It will work the first time perfectly, then it will error the second time it is authed. 

Thanks for your response.

[Danial Klimkin]

Hello Pere,

So far I wasn't able to reproduce this scenario. Can you please outline the exact steps how your users get into this state?

-Danial, AdWords API Team.

[Pere Kyle]

Danial,

Thanks for the response again.

Anytime we get a refresh token for Adwords scope it will create a 400 error whenever that same account is selected in a subsequent gapi oauth prompt. It seems to have coincided with the new account permissions page on google accounts. When accessing the 'broken' account from the new account page it looks perfect: Screen Shot 2014-01-28 at 10.47.33 AM.png

However looking in the old access panel (https://accounts.google.com/b/0/IssuedAuthSubTokens): Screen Shot 2014-01-28 at 10.42.59 AM.png

Notice the two scopes "Google AdWords, Profile Information, Google Analytics" and "Google Analytics, Profile Information", they are for the same application (ours). Before the error started occurring these scopes did not look like this, they looked like "Google AdWords, Profile Information" and  "Google Analytics, Profile Information". 

[Pere Kyle]

Danial,

It seems it may be related to the google api javascript library and specifically using the postback option. I am requesting an auth_code via a postback on the js side, then getting a refresh token using the php library on server side. Should I degrade use of the postback option?

Thanks,

Pere

[Pere Kyle]

Here is the code on server side using the adwords client library:

          $redirectUri = 'postmessage';

 $OAuth2Handler = $user->GetOAuth2Handler();

 // Get the access token using the authorization code. Ensure you use the same

 // redirect URL used when requesting authorization.

 $user->SetOAuth2Info(

       $OAuth2Handler->GetAccessToken(

           $user->GetOAuth2Info(), $code, $redirectUri));

 $oauthInfo = $user->GetOAuth2Info();

 // The access token expires but the refresh token obtained for offline use

 // doesn't, and should be stored for later use.

 return $oauthInfo['refresh_token'];

[cojoina...@gmail.com]

After some more testing I tried forming the url without using the google js lib like such:

https://accounts.google.com/o/oauth2/auth?scope=https://adwords.google.com/api/adwords/&response_type=code&access_type=offline&redirect_uri=MYURL&approval_prompt=force&client_id=MYID.apps.googleusercontent.com&hl=en&from_login=1&as=-13c0c43bd1da40fd&pli=1&authuser=1

This did not produce the 400 error and instead produced a "Request offline access" as expected. It seems the url being passed by the google gapi js library is incorrect in some way. The uri comming from gapi.authorize is:

https://accounts.google.com/o/oauth2/auth?zt={Long string}&from_login=1&hl=en&as=704bfab0aac7a3eb&pli=1&authuser=0

[Danial Klimkin]

Hello Pere,

Looks like this is indeed an issue with the JS lib. Unfortunately it is out of scope for our team as it's not specific to the AdWords.

I suggest to generate the URL yourself but consider reporting it as a bug for the JS library.

-Danial, AdWords API Team.