As we are migrating our app from Firebase to Couchbase, we also need to change the authentication part. We are using the google_sign_in package and would like to continue using it to have the native Google Sign In popup. Using the package we can get a serverAuthCode, which from my understanding we can then send to the _oidc_callback endpoint of Couchbase Sync Gateway. First I had to set disable_callback_state to true in the Sync Gateway configuration ("DisableCallbackState determines whether or not to maintain state between the /_oidc and /_oidc_callback endpoints."). However, when I now send the serverAuthCode to the _oidc_callback endpoint, I get the following error with status code 500:
body: {"error": "Internal Server Error", "reason": "Failed to exchange token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\n \"error\": \"invalid_grant\",\n \"error_description\": \"Bad Request\"\n}"}
I assume it is because the login was done using the package and not through the browser with a redirect to the app afterwards. Now I have no idea how to do this correctly though, that I sign in with the google_sign_in package and then use the code to get the tokens from the Sync Gateway. I can't find any helpful information for this problem.
I would be very happy if someone could help me, possibly in a call. Maybe this way something like this can be solved faster.
Related
I'm trying to acquire a 2 legged oauth2 access token for google's storage api through a service account.
The relevant documentation is contained here:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I first tried attempted to acquire the token through their HTTP/REST api. I eventually gave up being unable to get past a 400 response with the following details:
{ "error" : "invalid_grant" }
I then turned to the recommended method: using the java Google api client library (I'm using scala).
val credentialBuilder = new GoogleCredential.Builder()
.setTransport(GoogleNetHttpTransport.newTrustedTransport())
.setJsonFactory(JacksonFactory.getDefaultInstance())
.setServiceAccountId(Configuration.GoogleAPI.ServiceAccount.email)
.setServiceAccountPrivateKeyFromP12File(new File(Configuration.GoogleAPI.ServiceAccount.pkcs12))
.setServiceAccountScopes(Collections.singleton(StorageScopes.DEVSTORAGE_FULL_CONTROL))
def updateToken = {
val credential = credentialBuilder.build()
credential.refreshToken()
// ... do stuff here with token
}
Running the above, I get a TokenResponseException, with a payload identical to the error I was getting directly accessing the REST api. 400 Bad Request, invalid_grant error.
Doing some research (on both stackoverflow and elsewhere), I find that the most common reasons for this error message are:
1) The local clock is not synced with Google's servers. I suspected this even back when I was using the REST api because I've encountered this issue for other services before. I'm fairly sure its not a clock issue however, because I have repeatedly synced my clocks with an external ntp server:
sudo ntpdate -s ntp.ubuntu.com
2) The other common cause for this error is setting the service account client ID incorrectly. Most people set it to their service account client id (ending with "apps.googleusercontent.com") instead of their service account client email. Its pretty clear that this isn't the problem, since I'm correctly pointing to the email (the docs instructed this, so I followed the directions), ending with "#developer.gserviceaccount.com".
I'm stuck. I've checked the user documentation, the javadocs, various forums. The error message isn't very helpful (probably designed that way, since it's a security endpoint).
What other possible causes for this error exist? What can I do to get my service account access token?
If you are using OAuth2.0 to access a google analytics account then there could be one more reason of getting invalid_grant. As per developer docs:
If the application attempts to use an invalidated refresh token, an
invalid_grant error response is returned. The limit for each unique
pair of OAuth 2.0 client and Google Analytics account is 25 refresh
tokens (note that this limit is subject to change). If the application
continues to request refresh tokens for the same Client/Account pair,
once the 26th token is issued, the 1st refresh token that was
previously issued will become invalid. The 27th requested refresh
token would invalidate the 2nd previously issued token and so on.
Given the following ruby code:
consumer = OAuth::Consumer.new(consumer_key, consumer_secret, {
site: "https://www.googleapis.com"
})
resp = consumer.request(:put, "/appsmarket/v2/upgradableApp/#{listingId}/#{cwsId}/#{domain}")
puts resp.code+"\n"
puts resp.body
the UpgradeableApp API keeps giving "Invalid OAuth consumer key" error. The consumer key (in the format XXXXXXXXXXXX.apps.googleusercontent.com) was copied directly from the legacy marketplace listing as described in the docs.
I've:
verified the system time is correct and synchronized via ntp.
tried including xoauth_requestor_id
tried generating the request myself via curl (using this to generate the oauth signature)
tried enabling "Google Apps Marketplace API" under "Register for additional APIs" on the legacy marketplace listing
Is anybody else experiencing this? Thoughts on other things I can try?
UPDATE Sep 10 2014: I got confirmation from Google that this was an issue on their end for which a fix was applied. I've since been able to successfully use the ruby code above to do a migration.
I got confirmation from Google that this was an issue on their end for which a fix was applied. I've since been able to successfully use the ruby code above to do a migration.
While using Google Cloud Message API I occasionally get 401 Unauthorized status. So, sometimes my push notifications are send and sometimes not, without changing anything in the API request.
I use curl request with server key.
I tried to specify IPs list and set it to "Any IP allowed".
I already tried to create new server keys and projects, as some people here tell it helps them in similar situation. Sadly, it not helps me.
I'm seeing a similar problem with other Google Cloud APIs and I suspect it's related to your authentication being expired. Make sure to refresh any tokens you are using.
I got "error": {
"errors": [
{
"domain": "usageLimits",
"reason": "dailyLimitExceededUnreg",
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.",
"extendedHelp": "https://code.google.com/apis/console"
}
],
"code": 403,
"message": "Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."
}
When i try to fetch User Profile in Google+ api by https://www.googleapis.com/plus/v1/people/me URL String.If anyone have any suggestion then please tell me as soon as possible.Thanks in advance for your time.
That message implies that you haven't set up a Google APIs console project.
Create a Google APIs Console project
On the Services pane, enable all of the APIs that your project requires.
On the API Access pane, click Create an OAuth 2.0 client ID. A dialog opens. Fill in your project's information. Click Next
Choose the appropriate application type. Based on the tags you used for this post, I am guessing this is an iOS project so select Installed application.
Enter your bundle ID. You don't need to enter an App Store ID until your app is listed there.
Click Create Client ID.
You will see the client ID and client secret values. You will use these values to enable communication with your project and the Google APIs.
If you aren't already using it, see the Google+ iOS SDK and documentation for a full walk through. The task called "write moments" is similar in implementation and demonstrates how to connect to and use the Google+ REST APIs from within an iOS project that uses the SDK.
You'll need to specify the scope of plus.me to get the profile information.
I got the same error and after much hunting I found that, in my case, the Authorization header with the access token was not set. Set Authorization: "Bearer <YOUR_ACCESS_TOKEN>" in the header of the request of EVERY Google API call.
I just want to add a little information here in the rare case that someone runs into this problem.
I have an organization (ORG). I created a second channel (SC) with some playlists, that referenced videos from ORG.
I made the mistake of assuming that because ORG owned SC, that I could use the same oauth credentials from ORG to access both. I was wrong.
I switched credentials and was confused when I could access the playlists but not the videos. Again, I needed credentials for each one separately to access the resources on the respective channel.
Lame, but that was how it was.
BrettJ's answer will cover most of the bases. However, you will also get this error - even when your credentials are properly authenticated - when the scope is not properly set up. I would check the scope setting in your OAuth dance. Make sure your user is permitted to do the thing your code is trying to help them do.
On top of what BrettJ has mentioned, it is important to send the authorization header for the request done to fetch UserProfile in google+ API.
For example, Add the following header
key: Authorization
value: Bearer ya29.Ci-cA_CywoVdVG#######
For what it's worth, I also got this error when using rclone to sync files and my firewall wasn't configured to allow that traffic.
I'm trying to use the API dropbox.
Once the authentication window is opened, a message is displayed:
This session has expired. Please return to the app to try again.
See full image
I'm using a library to work with OAuth called jsOAuth
Console Error
See full image
I published this application: Here the full code
Notes
I know that is not very safe to use OAuth with Javascript, but this is only for studying the OAuth standard.
See here the complete JS
Any example of using javascript with OAuth will help me a lot
Thank you all for your help!
That error message means the request token used for that authentication session is no longer valid, likely because a timeout has passed. (The request token is only good for a certain amount of time.) You need to start over with a new request token.