GoogleWebComponents/google-signin

Obtaining code via gapi.auth2.authorize doesn't return a valid code

Opened this issue · 0 comments

gcsaba2 commented

I'm able to reproduce the issue like this:

  1. I have an anchor on my HTML page which leads to google's auth server. Google will respond with a redirect URL, this URL will contain the code.
  2. I input this code into the curl command below:
curl -v -H "Origin: https://localhost:8080" -H "Content-Type: application/x-www-form-urlencoded" \
   -X POST --data-urlencode "client_id=myclientid" \
  --data-urlencode "client_secret=mysecret" \
  --data-urlencode "redirect_uri=http://localhost:8080/google/auth" \
  --data-urlencode "grant_type=authorization_code" \
  --data-urlencode "code=4/0AY0e-g6bddl0EjaWbmov2ExohWV2NTPAbUQ--wHPvZUiW_4bx26vu-bx1NGEngz29RKboQ" \
 https://oauth2.googleapis.com/token
  1. Running this command will return an access_token

OK this works. So now I want to do the exact same thing with javascript.

This is the code:

function onGLoad() {
  gapi.load('auth2', function() {
    gapi.auth2.authorize({
        client_id: 'myclientid',
        scope: 'profile email',
        response_type: 'code',
        prompt: 'none'
      }, function(response) {
        if (response.error) {
          console.log('Google responded with an error: ' + response.error);
        } else if (response.code) {
          console.log(response.code);
        }
      });
  });
}

I take response.code and input it into the same curl command as above. I'll get an error like this:

{
  "error": "redirect_uri_mismatch",
  "error_description": "Bad Request"
}

To be sure, the redirect_uri is correct. Is this a bug in google's AS?

The code which I get via the HTML anchor looks like this:

4/0AY0e-g5ic3wkiIf3I1AQ0t2oIP0w8u4WtRMm-G-gRE83hSKtLwyBfd18sZ-NkdJQXjHmyg

and the code I get via Javascript looks like this:

4/0AY0e-g6bddl0EjaWbmov2ExohWV2NTPAbUQ--wHPvZUiW_4bx26vu-bx1NGEngz29RKboQ

(eg. no visible difference)

I was checking the network traffic to see what Google's JS is doing and the only difference from the HTML anchor seems to be sending the undocumented ss_domain parameter. However, adding that to my curl command does nothing, so the issue probably lies elsewhere.