Issue during migration from Google OAuth 1.0 to OAuth 2.0

StackOverflow https://stackoverflow.com/questions/22913146

  •  29-06-2023
  •  | 
  •  

Question

I have to migrate from Google OAuth 1.0 to OAuth 2.0. I just have wrote a small request in Chrome Rest Client:

POST: https://accounts.google.com/o/oauth2/token

Headers: Authorization: OAuth realm="", oauth_signature="PU3W5uRL0eAyEi", oauth_nonce="1396865138306881000", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="XXXXX.apps.googleusercontent.com", oauth_token="YYYYY", oauth_timestamp="1396865138", Content-Type: application/x-www-form-urlencoded

Payload: grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&client_id=ZZZZZ.apps.googleusercontent.com&client_secret=SSSSS

For that I receive an error message: Status: 400 Bad Request

"{ error: "invalid_request" error_description: "Invalid authorization header." }"

The problem could be that I try to migrate from one Project in Google Developers Console to another. Could that really be a problem?

The reason that I moved to another project is because I cannot create OAuth 2.0 Client ID in the original Project. I receive the following error message:

"You can not create OAuth 2.0 client ID because this project already contains an Oauth 1.0 client ID."

Please suggest.

Thank you, E

Was it helpful?

Solution

As pointed out in a similar post, when constructing the base string to sign your migration requests, please make sure that the string uses a POST method and that it contains all relevant migration parameters as per the migration documentation.

As per OAuth1 spec, a valid base string for a migration request should look like:

POST&https://accounts.google.com/o/oauth2/token&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&oauth_consumer_key=YOUR_CONSUMER_KEY&oauth_nonce=NONCE&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1396414006&oauth_token=THE_TOKEN_TO_MIGRATE

Note that, for readability purpose, the above is the decoded version of the base string (check out the OAuth1 spec for more examples).

Hope that helps, Miguel.

OTHER TIPS

When generating the base string you will need to ensure that each individual parameter is URL encoded before constructing the base string.

As per the oAuth documentation to sign OAuth 1.0 requests the base string is made up of 3 components

  • The HTTP request method
  • The base URL the request is being sent to
  • A normalized string of the parameters in the request

When constructing the base string you need to do the following

  • Ensure HTTP request method is POST
  • URL encode the base URL
  • Ensure the three POST body parameters [client_id, client_secret, grant_type] are included in the normalized request parameters
  • Ensure each parameter is individually URL encoded and then URL encode the complete normalized request parameters string. So in effect, some of the paramters are double URL encoded. This double URL encoding is mentioned in Using OAuth with the Google Data APIs#Signing Requests for the oauth_token

Only after doing all these steps did I get the migration request to work and I received a valid refresh_token

Below is a sample base string

POST&https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Ftoken&client_id%3Dxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com%26client_secret%3Dxxxxxxxxxxxx%26grant_type%3Durn%253Aietf%253Aparams%253Aoauth%253Agrant-type%253Amigration%253Aoauth1%26oauth_consumer_key%3Dxxxxxxxxx%26oauth_nonce%3D4106001%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1400779530%26oauth_token%3D1%252FkklP1YPy_AULt7j_tttttt_tterwerkj_dfj45dflk
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top