Google Identity Toolkit Widget with 400 bad request error

[Danny]

We've tried to use GIT widget, but keep getting 400 bad request error.
Also got this: Error code: INVALID_IDP_RESPONSE.

From Firebug, here is what the details:

POST https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyAssertion?key=AIza**************** (API key) And here's the result: { "error": { "errors": [ { "domain": "global", "reason": "invalid", "message": "INVALID_IDP_RESPONSE" } ], "code": 400, "message": "INVALID_IDP_RESPONSE" } } We've searched the forum as well as google the net, but couldn't find anything that matches our issue. Can somebody help?

[Danny]

And this is our widget code (generated from GIT console)

    <script type="text/javascript" src="//www.gstatic.com/authtoolkit/js/gitkit.js"></script>
    <link type="text/css" rel="stylesheet" href="//www.gstatic.com/authtoolkit/css/gitkit.css" />
    <style type="text/css">
        #gitkitWidgetDiv {width:100%;}
        input[type="checkbox"] {display:inline-block !important;}
    </style>
   
<script type="text/javascript">
  var config = {
      apiKey: 'AIz**********************',
      signInSuccessUrl: 'http://ourdomain.com/success.asp',
      idps: ["google"],
      oobActionUrl: 'http://ourdomain.com/sendemail.asp',
      siteName: 'Our site'
  };
  // The HTTP POST body should be escaped by the server to prevent XSS
  window.google.identitytoolkit.start(
      '#gitkitWidgetDiv', // accepts any CSS selector
      config,
      'JAVASCRIPT_ESCAPED_POST_BODY');
</script>

[Mengcheng Duan]

Did you replace the 'JAVASCRIPT_ESCAPED_POST_BODY' with the real post body data from IDP?

If not, you could try to use an empty string '' to see if you still get an INVALID_IDP_RESPONSE. Empty string works for most IDPs. But you'll need to extract the post body data, properly escape it and pass it to the javascript widget if you want to support IDPs which does form post redirect, for example, Yahoo.

- Mengcheng

--
You received this message because you are subscribed to the Google Groups "Google Identity Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-identity-t...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Danny]

Thank you Mengcheng. Tried your suggestion, still got the same 400 error.
Here's an updated code, just to be sure I did exactly what you needed me to do. Also, what should be in the "Javascript_Excaped_Post_Body"? This is our first time using this widget, so we thought it would be just "copy-n-paste" process.
 

<script type="text/javascript">
  var config = {

      apiKey: 'AIza*************************',

      signInSuccessUrl: 'http://ourdomain.com/success.asp',
      idps: ["google"],

      oobActionUrl: 'http://ourdomain.com/applications/sendemail.asp',
      siteName: 'this site'

  };
  // The HTTP POST body should be escaped by the server to prevent XSS
  window.google.identitytoolkit.start(
      '#gitkitWidgetDiv', // accepts any CSS selector
      config,

      '');
</script>

[Mengcheng Duan]

Which IDP were you using?

The 'JAVASCRIPT_ESCAPED_POST_BODY' should be the HTTP POST body value that your endpoint (the one serves the identity toolkit javascript widget) receives. When a user signs in with an IDP, the IDP responds an auth token or some signed assertion to your callback endpoint upon success. Normally your endpoint receives a GET request where you don't have a POST body hence the empty string. However, sometimes the IDP has to use an HTML form which contains the response and POST it to your callback endpoint because the response is too big to fit in the browser address bar. Since identity toolkit needs to verify the IDP response for you, you should check the POST body in the request and pass it to the widget if there is any.

To prevent XSS against your site, you should properly escape the POST body value in Javascript context. You can find more information here. If you use some template system, you're probably already covered.

- Mengcheng

[Danny]

We're just using "google"

[Jin Liu]

Could you dump the http *request* post body for https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyAssertion from Firebug? You may send that to me in private.

[Suharsh Sivakumar]

Is this resolved? I am having the same issue. When I do the initial display of the sign in widget i get the INVALID_IDP_RESPONSE error. The auth and everything works afterwards but the error shows up.

I may be misunderstanding something but why is there a verifyAssertion call upon load of the widget, shouldn't it only happen when the user signs in?

Thanks!

[Mengcheng Duan]

There is a query parameter called "mode" for the widget. By default it is "callback".

For example, if you host the widget at "http://localhost/gitkit", it serves as the OAuth2/OpenId2 callback URL for IDPs. That's the reason you see a verifyAssertion call upon the load.

Normally you don't need to go to the widget URL directly. You can render a sign in button on your welcome page by calling google.identitytoolkit.signInButton() and the sign in button handles it, e.g.,

  window.google.identitytoolkit.signInButton(

      '#navbar',

      {

        widgetUrl: '/gitkit',

        signOutUrl: '/signOut',

      }

  );

Or if you require the user to sign in immediately and don't want to show the sign in button, you can call google.identitytoolkit.signIn() and it redirects to the widget immediately, e.g.,

  window.google.identitytoolkit.setConfig({

      widgetUrl: '/gitkit'

  });

  window.google.identitytoolkit.signIn();

In case you do need to redirect to the widget for signing in the user, you can append "mode=select" to the URL.

- Mengcheng

[Suharsh]

Awesome 'mode=select' solved it! Thanks for the quick response!

- Mengcheng

To unsubscribe from this group and stop receiving emails from it, send an email to google-identity-toolkit+unsub...@googlegroups.com.

[JLen]

Did you manage to find a solution above? 

I am having the same problems

I'm followin the tutorial to get a simple app with Google Identity Toolkit and PHP

https://developers.google.com/identity-toolkit/quickstart/php

The login button appears, I can select my Google account, I can grant my app permission to access and read my profile etc.

The callback url on my site then says

'INVALID_IDP_RESPONSE' and in Firebug I see

    https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyAssertion?key=mykeyremoved

    Failed to load resource: the server responded with a status of 400 (Bad Request)

I have tried rerunning the tutorial without success, any help on how to take this debugging forward would be greatly appreciated!

Best regards

Johan

Login script button code: www.mysite.com/index.php

    <!DOCTYPE html>

<html>

<head>

 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript" src="//www.gstatic.com/authtoolkit/js/gitkit.js"></script>

<link type="text/css" rel="stylesheet" href="//www.gstatic.com/authtoolkit/css/gitkit.css" />

<script type="text/javascript">

 var config = {

     apiKey: 'mykeyremoved',

     signInSuccessUrl: '/',

     idps: ["google"],

     oobActionUrl: '/',

     siteName: 'this site'

 };

 // The HTTP POST body should be escaped by the server to prevent XSS

 window.google.identitytoolkit.start(

     '#gitkitWidgetDiv', // accepts any CSS selector

     config,

     'JAVASCRIPT_ESCAPED_POST_BODY');

</script>

</head>

<body>

<!-- Placeholder for the sign in page -->

<div id="gitkitWidgetDiv"></div>

</body>

</html>

Return/redirect url at www.mysite.com/gitkit/index.php (which is the one producing the error code)

    <!DOCTYPE html>

    <html>

    <head>

    <?php

      set_include_path(get_include_path() . PATH_SEPARATOR . __DIR__ .'\quickapp\vendor\google\apiclient\src');

      require_once 

    'quickapp/vendor/autoload.php';

      $gitkitClient=Gitkit_Client::createFromFile('http://www.mysite.com/quickapp/gitkit-server-config.json');

      $gitkitUser = $gitkitClient->getUserInRequest();

    ?>

    <script type="text/javascript" src="//www.gstatic.com/authtoolkit/js/gitkit.js"></script>

    <link type=text/css rel=stylesheet href="//www.gstatic.com/authtoolkit/css/gitkit.css" />

    <script type=text/javascript>

      window.google.identitytoolkit.signInButton(

        '#navbar', // accepts any CSS selector

        {

          widgetUrl: "http://www.mysite.com/gitkit",

          signOutUrl: "/",

        }

      );

    </script>

    </head>

    <body>

    <div id="navbar"></div>

    <p>

      <?php if ($gitkitUser) { ?>

        Welcome back!<br><br>

        Email: <?= $gitkitUser->getEmail() ?><br>

        Id: <?= $gitkitUser->getUserId() ?><br>

        Name: <?= $gitkitUser->getDisplayName() ?><br>

        Identity provider: <?= $gitkitUser->getProviderId() ?><br>

      <?php } else { ?>

        You are not logged in yet.

      <?php } ?>

    </p>

    </body>

    </html>

[Jin Liu]

Can you dump the http request to https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyAssertion and 400 response in firebug? If your site is public, I can try to reproduce the problem.

Also you may want to replace 'JAVASCRIPT_ESCAPED_POST_BODY' in your html page with 'JSON.parse('<?php echo json_encode(file_get_contents("php://input")); ?>')'.

[Johan Lengqvist]

Big thanks for trying to help me out!

I've tried replacing JAVASCRIPT_REPLACE text but with no luck

You can see one of the attempts here and see if you get the same error and review the source code

http://www.pixial.se/oauth2callback/?mode=select

source here

http://www.pixial.se/oauth2callback/index.php

and the http request

Remote Address:64.233.164.95:443

Request URL:https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyAssertion?key=AIzaSyDp2eD7n0fHNWjYatXbRbh-M0Uh11PH5bA

Request Method:POST

Status Code:400 Bad Request

Request Headers

:host:www.googleapis.com

:method:POST

:path:/identitytoolkit/v3/relyingparty/verifyAssertion?key=AIzaSyDp2eD7n0fHNWjYatXbRbh-M0Uh11PH5bA

:scheme:https

:version:HTTP/1.1

accept:*/*

accept-encoding:gzip, deflate

accept-language:sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4

cache-control:max-age=0

content-length:1305

content-type:application/json

origin:http://www.pixial.se

referer:http://www.pixial.se/oauth2callback/

user-agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

x-chrome-uma-enabled:1

x-client-data:CI22yQEIpbbJAQiptskBCMG2yQEInobKAQjwiMoBCIqSygE=

Query String Parametersview sourceview URL encoded

key:AIzaSyDp2eD7n0fHNWjYatXbRbh-M0Uh11PH5bA

Request Payloadview source

{,…}

postBody: "JAVASCRIPT_ESCAPED_POST_BODY"

requestUri: "http://www.pixial.se/oauth2callback/#state=AH-1Ng14ymXs1upVqnj-RaCkI37WWNdmE9nMMQeLBcwzOzd3-mJfZ0wvZnCFzLna_Wc4Qzlblv2LgNge8jSjKPv6HN88S3PI6te_rOO-Qzudy1ZqDqjx0D4&access_token=ya29.9QCcX6pS4lu8hL0brDQNQcfX69kYzgO45SlgCYmpssyjNYz7LbL13lHBlzA3QisU07xYvMOj6kIGpA&token_type=Bearer&expires_in=3600&code=4/k3shTktC46HnOYO7ILqQoHauzCdh4xrquSCvyk4hu4o.kjpNJXcOdV8VrjMoGjtSfTquANSTlQI&id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjA3OTE3ZmNmMjk1YjE4M2YxZTRkM2NiNGM5NjkzNjdjNTFmN2RjODEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTAzMDI5Nzg4ODM1MjE2MDc5MDUyIiwiYXpwIjoiNzU0MjM4NTk3MjIyLTJibWVvZmo1c3JwdHAzZm9mMHFhNzk1Yzk4ajN1c2w4LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJsZW5ncXZpc3RAZ21haWwuY29tIiwiYXRfaGFzaCI6InpOMi1Db3MzSWpiVFdzTllxTllZVGciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXVkIjoiNzU0MjM4NTk3MjIyLTJibWVvZmo1c3JwdHAzZm9mMHFhNzk1Yzk4ajN1c2w4LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiY19oYXNoIjoiOWd3Y0ZYMVhSTFhFM01OTGRfalM0dyIsImlhdCI6MTQyMDcyNjM0MywiZXhwIjoxNDIwNzMwMjQzfQ.ixpRK87HtufuIFDMI7RfvvsjhRb2Pqt8KrXPXcdG-UCL3Hv7usIviZROihuFboUra0Q2Enecof87x1DVkHnmrDcvgM__0S8T95rLCR5J35VPtvl1odstC4zqbTKt37TRVGoGc-IPTt39eNHU2QGMDAel4JXxrN5Lhj41TEwKYD0&authuser=0&num_sessions=1&session_state=7decfae44963fb501f91376830dcdafd7d4bd1a6..fb2b&prompt=none"

Response Headers

access-control-allow-credentials:true

access-control-allow-origin:http://www.pixial.se

access-control-expose-headers:Content-Encoding,Content-Length,Content-Type,Date,Server,Vary

alternate-protocol:443:quic,p=0.02

cache-control:private, max-age=0

content-encoding:gzip

content-length:135

content-type:application/json; charset=UTF-8

date:Thu, 08 Jan 2015 14:20:10 GMT

expires:Thu, 08 Jan 2015 14:20:10 GMT

server:GSE

status:400 Bad Request

vary:X-Origin

vary:Origin

version:HTTP/1.1

x-content-type-options:nosniff

x-frame-options:SAMEORIGIN

x-xss-protection:1; mode=block

ConsoleSearchEmulationRendering

Thanks in advance!
Johan

[Johan Lengqvist]

Do I need to make the request from a https source?

[Derek Salama]

If you want branding on the AccountChooser.com page (e.g. this site), you'll need to serve up the image from https. 

Otherwise, you should not need https.

[Jin Liu]

Seems you are using Google+ Sign In but Google+ API is not enabled for your project. Can you check that in Google Developers Console "APIs and Auth" -> "APIs"?

To unsubscribe from this group and stop receiving emails from it, send an email to google-identity-toolkit+unsub...@googlegroups.com.

[Johan Lengqvist]

It worked, thank you! Awesome!

Summary:

If you get INVALID_IDP_RESPONSE error when implementing Google Identity Toolkit using the googleplus or google scope:

- Ensure that you have Google+ API enabled in Google Developer Console.

To unsubscribe from this group and stop receiving emails from it, send an email to google-identity-t...@googlegroups.com.