Google & Oauthlib - Scope has changed

Question

I am using OAuthlib for conducting OAuth flow of Google. It was working well for 4 to 5 months. Suddenly I started getting below error:

File "/home/whitesnow-2/Gaurav/Axonator/AxVirtualEnv/local/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", 
line 409, in validate_token_parameters raise w Warning: Scope has changed from 
"https://www.googleapis.com/auth/calendar 
https://www.googleapis.com/auth/docs 
https://www.googleapis.com/auth/spreadsheets 
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/userinfo.email 
https://www.googleapis.com/auth/userinfo.profile" to 
"https://www.googleapis.com/auth/calendar 
https://www.googleapis.com/auth/docs 
https://www.googleapis.com/auth/spreadsheets 
https://www.googleapis.com/auth/drive.file 
https://www.googleapis.com/auth/userinfo.email 
https://www.googleapis.com/auth/userinfo.profile".

Below is the code for generating OAuth authorization URL:

flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
    settings.GOOGLE_OAUTH2_CLIENT_SECRETS_JSON,
    scopes=['https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/docs https://www.googleapis.com/auth/spreadsheets https://www.googleapis.com/auth/drive.file https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile'],
    redirect_uri=REDIRECT_URI
)
authorization_url, state = flow.authorization_url(
    access_type='offline',
    include_granted_scopes='true',
    prompt='consent'
)

Below is the code for Google OAuth callback:

auth_code = request.GET.get("code")
objectid = request.GET.get("state")
error = request.GET.get("error")
if error == "access_denied":
    return "Access Denied"
else:
    flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
        settings.GOOGLE_OAUTH2_CLIENT_SECRETS_JSON,
        scopes=['https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/docs https://www.googleapis.com/auth/spreadsheets https://www.googleapis.com/auth/drive.file https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile'],
        redirect_uri=REDIRECT_URI
    )
    flow.fetch_token(code=auth_code)

How strange that the "from" and "to" scopes are the exact same. Could this have been the result of a bug at Google's end? — ack_inc, Jun 24 '21 at 07:08

score 22 · Answer 1 · edited Nov 09 '22 at 02:17

22

You can disable this warning by setting the OAUTHLIB_RELAX_TOKEN_SCOPE environment variable; this should work for cases where you do not control the code that's calling the oauth library.

Here's where that's implemented in the oauthlib library.

edited Nov 09 '22 at 02:17

ThatsJustCheesy

1,370
14
24

answered Aug 01 '18 at 22:35

Symmetric

4,495
5
32
50

12

It works! What would be the security implications of using this flag? – odedfos Aug 14 '18 at 09:24
1

The authorized scopes could be different from what was requested. Functionally there could be a problem if _fewer_ scopes are granted than what were requested. Security-wise you don't necessarily want _more_ scopes granted but that's exactly what `include_granted_scopes=True` does in Google's library: https://developers.google.com/identity/protocols/oauth2/web-server#incrementalAuth – Neil C. Obremski Oct 19 '20 at 22:16
So what's the proper way if you DO control the code that's calling the oauth library? – Alex Mar 13 '23 at 11:19
Using FastAPI, I noticed that catching the `Warning` object and printing it, would only print `Scope has changed from... etc.`, while using `jsonable_encoder` returns the whole credentials object, with old and new scopes. So I ended up catching the `Warning`, returning the json encoded warning as a response. I'm guessing that's how they intended it to work? – lupodellasleppa Jul 26 '23 at 07:49

score 11 · Answer 2 · answered Aug 29 '18 at 20:15

11

I was able to bypass the problem by setting the scopes to None in the callback function.

flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
        settings.GOOGLE_OAUTH2_CLIENT_SECRETS_JSON,
        scopes=None,
        redirect_uri=REDIRECT_URI
    )
flow.fetch_token(code=auth_code)

answered Aug 29 '18 at 20:15

Mohammed Abuiriban

480
4
8

2

I got an error page from Google when I tried this approach saying that `scopes` must be defined – Neil C. Obremski Sep 13 '19 at 23:24

score 6 · Answer 3 · answered Jul 25 '18 at 10:44

6

Even I also had the same issue. I have fixed this by removing include_granted_scopes='true', in the flow.authorization_url

answered Jul 25 '18 at 10:44

kiran

444
3
15

2

I tried removing `include_granted_scopes='true'` also tried setting it to `false` but it didn't help. I am getting the same error. – Gaurav Bagul Jul 25 '18 at 13:45

score 6 · Answer 4 · answered Jun 28 '21 at 16:48

6

All the previous answers didn't worked for me. I solved it by adding this line :

os.environ['OAUTHLIB_RELAX_TOKEN_SCOPE'] = '1'

answered Jun 28 '21 at 16:48

F Blanchet

1,430
3
21
32

score 3 · Answer 5 · answered Sep 18 '19 at 10:21

I don't know it that's the error, but scopes should be maybe list scopes instead of one string - change this:

flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
            settings.GOOGLE_OAUTH2_CLIENT_SECRETS_JSON,
            scopes=['https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/docs https://www.googleapis.com/auth/spreadsheets https://www.googleapis.com/auth/drive.file https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile'],
            redirect_uri=REDIRECT_URI
        )

To this:

flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
            settings.GOOGLE_OAUTH2_CLIENT_SECRETS_JSON,
            scopes=[
                'https://www.googleapis.com/auth/calendar', 
                'https://www.googleapis.com/auth/docs', 
                'https://www.googleapis.com/auth/spreadsheets', 
                'https://www.googleapis.com/auth/drive.file', 
                'https://www.googleapis.com/auth/userinfo.email', 
                'https://www.googleapis.com/auth/userinfo.profile'],
            redirect_uri=REDIRECT_URI
        )

score 2 · Answer 6 · answered Jul 25 '18 at 14:30

2

I added the scope https://www.googleapis.com/auth/plus.me to where I create my Flow objects:

Flow.from_client_config(
    secrets_json_string,
    scopes=[
        (…),
        'https://www.googleapis.com/auth/plus.me',
    ],
    redirect_uri=redirect_url
)

answered Jul 25 '18 at 14:30

zepp133

1,542
2
19
23

Unfortunately, I am getting the same error even after including `https://www.googleapis.com/auth/plus.me` in the flow scopes. – Gaurav Bagul Jul 26 '18 at 07:05

score 0 · Answer 7 · answered May 23 '23 at 17:03

0

Because you set include_granted_scopes='true' so scopes will be append when you run again.

Let's set include_granted_scopes='false'

answered May 23 '23 at 17:03

Tai Lu

43
7

Google & Oauthlib - Scope has changed

7 Answers7

Linked