1

Cheers everybody, we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:

https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test@Speelkriebel.be

Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token with the following parameters, the 'code' is generated we also send it as follow: 

client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com
grant_type=authorization_code 
 client_secret=******
code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo
redirect_uri = urn:ietf:wg:oauth:2.0:oob

The response is always

{
  "error_description": "Missing code verifier.", 
  "error": "invalid_grant"
}

We have tried to send the client secret id also, Does it have to do with our code_challenge ? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline We were also trying the playground :https://developers.google.com/oauthplayground/ we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.

Thanks Guys

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Tonathiu Redrovan
  • 101
  • 1
  • 13

2 Answers2

1

You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.

https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code

Also make sure that the client id is from an installed / other type client

This may also help Google 3 Legged OAuth2 Flow

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • thanks DalmTo, good advice about sending few parameters first. I changed the scope to https://www.googleapis.com/auth/analytics.readonly and now i get a token back! But which scope should i be using ? mmm. We created OAuth Desktop client ID from gsuite admin account. thx! – Tonathiu Redrovan Mar 18 '21 at 10:36
  • That depends upon which api it is you are trying to access. Check the documentation for the method you are trying to access it will tell you which scope is required inorder to access that method https://developers.google.com/identity/protocols/oauth2/scopes – Linda Lawton - DaImTo Mar 18 '21 at 10:40
  • If your after the admin directory api have a look at this https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/list scroll down to the Authorization Scopes, it tells you exactly which scope you need to authorize with. – Linda Lawton - DaImTo Mar 18 '21 at 10:41
  • I'll check it out...the scope i used does not return a id_token only access_token and refresh token. we need to have the id_token send back, Thx – Tonathiu Redrovan Mar 18 '21 at 10:58
  • is the client_secret always required? in which instance i can by pass this parameter? – Tonathiu Redrovan Mar 18 '21 at 13:44
  • Id token is only for authentication not authorization. Id token is part of open id connect so unless you request profile scope i dont think your going to get an id token back only an access token with the authorization. – Linda Lawton - DaImTo Mar 18 '21 at 13:45
  • Yes client secret is required in most of the calls, think of it as a password associated with your client id – Linda Lawton - DaImTo Mar 18 '21 at 13:46
0

For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].

There is additional documentation about generating a code challenge and verifier here [2].

[1] https://www.rfc-editor.org/rfc/rfc7636

[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier

Community
  • 1
  • 1
user2705223
  • 1,219
  • 6
  • 10