Repeated authorization code

[Warren Zhang]

Hi,

We've gotten the following exception when trying to generate a token:

{"error" : "invalid_grant", "error_description" : "Code was already redeemed."}

Every time we make a request, we're directly using the authentication code passed via the request sent to our callback. We've seen this error occur 3 times for a single user within about 12 minutes. The user successfully used this same authorization code about 2 hours before these failures. Could we get some assistance in troubleshooting this issue?

Thanks,

Warren

[James Andrews]

Warren,

You can only use the authorization code once.  It's one and done.  After the code has been used you need to generate a new authorization code.

James

[Shwetha Vastrad (AdWords API Team)]

Hi Warren, 

Yes, as James states, an authorization code can only be used once to get a short-lived access token and a refresh token. You'll not be able to use an authorization code more than once. You'll need to reauthorize to generate a new authorization code. You can use the refresh token to refresh an expired access token as described here.

Regards,
Shwetha, AdWords API Team.

[Warren Zhang]

Hi Shwetha,

The issue is not us trying to re-use an authorization code. From our perspective, it looks like we're getting back the same authorization code (which has already been used) after separate Google login attempts.

Thanks,

Warren

[Shwetha Vastrad (AdWords API Team)]

Hi Warren,

Could you provide the type of OAuth2 credentials used and also describe how you have implemented OAuth2 authentication in your application?

Thanks,

Shwetha, AdWords API Team.

[Warren Zhang]

Hi Shwetha,

This is for a .NET web app. What details do you need? 

Thanks,

Warren

[Shwetha Vastrad (AdWords API Team)]

Hi Warren, 

Could you confirm if you followed the steps listed here to setup OAuth2 for API access? Are you saving/caching the authorization code in your application?  An end-to-end example is provided here which demonstrates how to access the AdWords API from within an ASP.NET web application. Could you try using this example and let me know if it works? 

[Warren Zhang]

Hi Shwetha,

Yes, we're following the same steps listed in the tutorial provided to obtain an authorization code. We are adding the following arguments to the authorization url - &approval_prompt=force and &prompt=select_account. Not sure if these are having any impact. We're not caching the authorization code anywhere explicitly; we directly fetch it from Request.Params["code"].

Thanks,

Warren

[Shwetha Vastrad (AdWords API Team)]

Hi Warren, 

The parameter approval_prompt is now prompt. To get the behavior similar to approval_prompt=force I would suggest that you change your app to use prompt=consent. Please see this forum post for more details. In your case, you would need to pass the space delimited values to the prompt parameter. 

[Warren Zhang]

I can change that, but is the outdated parameter the cause of this authorization code issue?

[Anash P. Oommen (AdWords API Team)]

Hi Warren,

The relevant code to capture OAuth callback and exchange it with an access token / refresh token looks like this: 

https://github.com/googleads/googleads-dotnet-lib/blob/master/examples/AdWords/CSharp/OAuth/OAuthLogin.aspx.cs#L50. I assume you are (1) using the state parameter to distinguish a redirect to google server, and a callback from Google server? and (2) Placed a breakpoint on your call to FetchAccessAndRefreshTokens and made sure it isn't happening twice?

You can also use Fiddler to intercept the requests to make sure the authorization code in both cases are different (i.e. the call is not getting cached somehow)

Cheers,
Anash P. Oommen,
AdWords API Advisor

[Warren Zhang]

Hi Anash,

We're distinguishing between Request.Params["state"] == null and Request.Params["state"] equals something else, but not checking for whether or not that something else == callback. Could this be cause the issue? We've moved where we call FetchAccessAndRefreshTokens from our UI code to our back end code, but it also doesn't look like we call FetchAccessAndRefreshTokens there either. Since this doesn't happen consistently or very often, we've had issues trying to repro the issue, so I'm not sure we'll be able to capture this re-used authorization code callback through Fiddler. 

Thanks,

Warren

[Warren Zhang]

Meant to say it doesn't look like we call FetchAccessAndRefreshTokens multiple times there either.