We have Google oauth2 working fine on our website. However, often Chrome users complaint about 400 Bad request and we were able to reproduce it now. Based on the investigation, it indeed looks like a bug on Google side:
It only happens with users who were authenticated earlier and logged-in with multiple accounts on GMail
It doesn't happen when the same user uses incognito window.
This problem is universal and not only with our website. At this moment, I am not able to login using google oauth2 on any website including StackOverflow. Stackoverflow site also gives the same 400 Bad request error and I have to use incognito.
No additional information is present along with 400 Bad Request Error
To further confirm, I just loaded https://accounts.google.com/o/oauth2/auth without any parameters and it also gave 400 Bad request. However, if I load it in incognito, it gives Error: invalid_request. So there is indeed different behavior.
So We suspected that the problem might be with cookies sent along with request since incognito window has no cookies. So we cleared all the cookies for domain accounts.google.com and problem magically solved. This confirms that Google side of code is not able to handle their own cookies.
We really need to solve this. Please help. Do let me know if you need any information.
This might be caused only for the clients that have multiple google accounts logged in as described here Google OAuth2 returns Bad Request when logged with multiple accounts.
It is not clear to me if is a google bug or a miss-use of the api. Anyway stackoverflow is affected as well.
Related
Recently, my app's google signin stopped working by throwing 400 Error. We were earlier using the old oauth endpoints and I updated to the new v2 endpoints for auth/token and it doesn't seem to help as well.
Upon sending the Auth request (using WS url in Scala) with the required parameters, the ahc response gives back the following URL to redirect to
https://accounts.google.com/ServiceLogin?continue=https%3A%2F%2Faccounts.google.com%2Fsignin%2Foauth%2Flegacy%2Fconsent%3Fauthuser%3Dunknown%26XXXXXXXXXXXXXXXXX.......
Instead of taking to the prompt screen to login the above url redirects to this 400 error page
https://accounts.google.com/signin/oauth/legacy/consent?authuser=0&part=XXXXXXXXXXXXXXXXXX......
Any insights on this is much appreciated!
Thanks,
Baskaran
I'm not sure if it will help, you, but I've had something like that in this bug issue discussion, that lead me to this same https://accounts.google.com/signin/oauth/legacy/consent URL.
TL;DR: A MITM is using/destroying your request.
The application tried to open a link to Google Auth, the desktop captured the link and either mangled the data or did a preflight on that one-time URL, which expired it, and then it opened the browser.
See if something between you and the web is "proxying" your requests the wrong way.
When I'm logged in google with multiple accounts
and i'm trying to authorize myself at https://stackoverflow.com/users/login (or any other site using OAuth2)
I get a Bad Request - Error 400
This doesn't happen when i'm in incognito mode
A sample request is the following
https://accounts.google.com/o/oauth2/auth?client_id=717762328687-p17pldm5fteklla3nplbss3ai9slta0a.apps.googleusercontent.com&scope=profile+email&redirect_uri=https%3a%2f%2fstackauth.com%2fauth%2foauth2%2fgoogle&state=%7b%22sid%22%3a1%2c%22st%22%3a%221435c1882569148a8513b8e5ba7f747ac7821aaf558cbb1a28dd11c5c3cb358b%22%2c%22ses%22%3a%22354093ee65ee44e8a24582c78bdb7127%22%7d&response_type=code
There are other similar questions like Google oauth2 and 400 bad request: Bug on Google side? but are old and marked as fixed bugs.
How could I fix this?
Should I add some other parameters to trigger the account selection?
While using Google Cloud Message API I occasionally get 401 Unauthorized status. So, sometimes my push notifications are send and sometimes not, without changing anything in the API request.
I use curl request with server key.
I tried to specify IPs list and set it to "Any IP allowed".
I already tried to create new server keys and projects, as some people here tell it helps them in similar situation. Sadly, it not helps me.
I'm seeing a similar problem with other Google Cloud APIs and I suspect it's related to your authentication being expired. Make sure to refresh any tokens you are using.
I have an app that already successfully uses google oauth, but now I am trying to setup a staging deployment. It is a rails app with devise and omniauth, but I think there might be a problem with how I configured Google.
In the google api admin panel (https://code.google.com/apis/console) I can see the existing app. I created another one with a different callback url (because it is staging). Using Postman (a fancy way to edit the url parameters) I can send a get request to google with the current production client_id and redirect_url and it works fine. When I copy and paste in the new clients (staging's) client_id and redirect_url I always get the error Error: invalid_client.
I'm sure where to start with trying to the figure out the problem, but I've tried a lot of different steps, renaming the urls, changing the client secret, or recreating the client in the admin panel. Any ideas? This error is rather cryptic.
We had a temporary issue with a small set of client ids. The issue should be resolved. If you are still having problems please follow up.
I'm developing a youtube upload application and have some troubles with a specific part of authentication. ClientLogin so far, works and uploads are received by Youtube. However I have to redirect my users logged in to the Youtube-Frontpage. I've noticed that there's a possibility to login to gmail via a url: accounts.google.com/TokenAuth?auth=....
This should be possible in the exact same way for youtube. A login at "gmail" will include the cookies I'd need for youtube login.
However, I'm not getting it to work. Which auth token do I have to use? I tried many, the one provided in the clientlogin response. I queried www.google.com/accounts/IssueAuthToken url (which gives me a token back, but I cannot login with it).
For example what I've tried:
https://accounts.google.com/TokenAuth?auth=token-received-by-issueAuthToken&service=youtube&continue=http://youtube.com&source=googletalk
And:
https://accounts.google.com/TokenAuth?auth=token-received-by-issueAuthToken&service=mail&continue=http://mail.google.com/mail&source=googletalk
None of these seem to work. The Clientlogin authentication was done with "service=youtube" - is that the mistake?
I'd appreciate any information that can clarifiy my problem.
Regards,
Dennis Fischer
So - well - I got this working finally. It took me some time because there is no real documentation.
I'll explain how the requests work, you'll need to do 3 requests:
1st: Do a default clientLogin at google.com/accounts/ClientLogin
Provide Email=emailadress&Passwd=Password&service=gaia as data, as well as any other parameter you want to add to clientLogin.
You'll receive 3 Tokens, SID, LSID and Auth - you'll need SID and LSID only!
2nd: Do a request to google.com/accounts/IssueAuthToken
Add paramters SID="Extracted SID"&LSID="Extracted LSID"&service=gaia to the URL.
You'll receive an AuthToken which should start with these characters: "APh-...."
If this is not the case your this request failed due to wrong parameters (most likely missing "service=gaia").
This token will be needed in your 3rd request.
3rd: Do a request to google.com/accounts/TokenAuth?auth="token received in step 2"&service="service where you want to authenticate, e.g. mail"&source="for example googletalk"&continue="the url where you're redirected to, this is http://mail.google.com/mail for service mail"
This 3rd request is most likely done in a browser.
Congratulations, you logged in a user into his google account with 2-Step Auth. You don't need the "real password", the application specific password is enough to generate these tokens.
Regards,
Dennis Fischer