Unable to get past environment creation with newEnv - "Failure refreshing token from accounts.google.com/o/oauth2/v2/auth"

Question

Unable to get past environment creation with newEnv - "Failure refreshing token from accounts.google.com/o/oauth2/v2/auth"

Closed this issue 7 years ago · 12 comments

This happens when I run the provided example: https://github.com/brendanhay/gogol/tree/develop/examples/src/Example

I have credentials setup by gcloud in my ~/.config/gcloud/application_default_credentials.json as per default.

getting this runtime error (when executing the newEnv line):
TokenRefreshError (Status {statusCode = 400, statusMessage = "Bad Request"}) "Failure refreshing token from accounts.google.com/o/oauth2/v2/auth" Nothing

Observation: logger does not log anything, even though I used Debug/Trace mods and looking at the code (https://github.com/brendanhay/gogol/blob/develop/gogol/src/Network/Google/Internal/Auth.hs#L288-L289) it should be logging things.

I've tried printing the offending request and response and here is what i found:

Request {
  host                 = "accounts.google.com"
  port                 = 443
  secure               = True
  requestHeaders       = [("Content-Type","application/x-www-form-urlencoded")]
  path                 = "/o/oauth2/v2/auth"
  queryString          = ""
  method               = "POST"
  proxy                = Nothing
  rawBody              = False
  redirectCount        = 10
  responseTimeout      = ResponseTimeoutDefault
  requestVersion       = HTTP/1.1
}

Response:

<!DOCTYPE html><html lang=en><meta charset=utf-8><meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\"><title>Error 400 (OAuth2 Error)!!1</title><style>*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}</style><div id=\"af-error-container\"><a href=//www.google.com/><span id=logo aria-label=Google></span></a><p><b>400.</b> <ins>That\226\128\153s an error.</ins><p><script src='https://ssl.gstatic.com/accounts/o/3918119028-common_lib.js'></script><style>\n    #request_info_header {\n      cursor: default;\n      outline: none;\n      padding-left: 14px;\n      padding-top: 10px;\n    }\n\n    #request_info_items {\n      line-height: 18px;\n      list-style-type: none;\n      margin-top: 8px;\n      padding-left: 14px;\n    }\n\n    .param_entry {\n      margin-top: 2px;\n    }\n\n    .goog-zippy-expanded,\n    .goog-zippy-collapsed {\n      list-style: none;\n      padding: 2px 0 1px 15px;\n      position: relative;\n    }\n\n    .goog-zippy-expanded:before {\n      content: url(https://ssl.gstatic.com/ui/v1/zippy/arrow_down.png);\n      left: 1px;\n      position: absolute;\n      top: 7px;\n    }\n\n    .goog-zippy-collapsed:before {\n      content: url(https://ssl.gstatic.com/ui/v1/zippy/arrow_right.png);\n      left: 3px;\n      position: absolute;\n      top: 6px;\n    }\n  </style><p id=\"errorCode\"><b>Error: invalid_request</b></p><p id=\"errorDescription\">Required parameter is missing: response_type</p><p id=\"errorUri\"><a target=\"_blank\" href=\"http://code.google.com/apis/accounts/docs/OAuth2.html\">Learn more</a></p><div id=\"request_info_header\">Request Details<ul id=\"request_info_items\"><li class=\"param_entry\" id=\"param_entry_0\">grant_type=refresh_token</li><li class=\"param_entry\" id=\"param_entry_1\">client_id=764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com</li><li class=\"param_entry\" id=\"param_entry_2\">client_secret=d-FL95Q19q7MQmFpd7hHD0Ty</li><li class=\"param_entry\" id=\"param_entry_3\">refresh_token=1/1Yrj_4sULbMQca3rqX3BO919jyj2JR1LDGXy9M3Y9Bw</li></ul></div><script type=\"text/javascript\">lso.doZippy(\"request_info_header\", \"request_info_items\");</script><p> <ins>That\226\128\153s all we know.</ins></div>

viewing this response in a browser tells the following story:

Error: invalid_request
Required parameter is missing: response_type

Request Details
grant_type=refresh_token
client_id=764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com
client_secret=<CLEANED>
refresh_token=<CLEANED>

Answer 1 · 2017-02-01T21:53:08.000Z

Thanks for raising, will investigate this m the morning!

Answer 2 · 2017-02-01T21:55:06.000Z

thanks for lightning-fast response @brendanhay !
Please let me know whether i can provide more details, use another auth method that currently works or how else i can assist

Answer 3 · 2017-02-01T22:49:38.000Z

The only thing I can recommend immediately is to try out develop, a couple of fixes for tolen refresh were merged recently that haven't made it onto Hackage.

Answer 4 · 2017-02-01T22:57:36.000Z

tried develop with recent merge (of 18 Jan), with same result

digging deeper, this seems to be likely culprit: https://github.com/brendanhay/gogol/blob/develop/gogol/src/Network/Google/Auth/ServiceAccount.hs#L70-L77

Tried adding "response_type" and "redirect_uri", but then the endpoint complained about lack of "scope" attribute, but those do not seem to be available at that place in code.

The relevant doc for this endpoint seems to require these attributes to be populated: https://developers.google.com/identity/protocols/OAuth2UserAgent

Answer 5 · 2017-02-01T23:03:21.000Z

also, this is the minimal example I am trying to get working: https://github.com/ababkin/gogol-test

Answer 6 · 2017-02-02T00:27:38.000Z

so apparently this fixes it: #55

Answer 7 · 2017-02-02T09:16:59.000Z

Thanks for working through this and providing a fix! Much appreciated.

Answer 8 · 2017-02-09T23:46:07.000Z

Looks like this one is not over:

This fixed the issue on my OSX Sierra, but rears its head on CircleCI environment.
Even with the above fix applied, results in same error:

TokenRefreshError (Status {statusCode = 400, statusMessage = "Bad Request"}) "Failure refreshing token from accounts.google.com/o/oauth2/v2/auth" Nothing

This is clearly due to environment differences. Does anyone have ideas what specifically could those differences be? Or point me in the right direction?

Answer 9 · 2017-02-09T23:59:56.000Z

@ababkin Could you check if #57 helps?

Answer 10 · 2017-02-10T00:31:44.000Z

thanks @CthulhuDen - looks like this fixed it for me!

Answer 11 · 2017-03-11T19:07:45.000Z

Can confirm this is fixed in develop for me too.

Answer 12 · 2017-08-23T04:24:23.000Z

@brendanhay, @CthulhuDen: I just ran into the problem #57 addresses. Do you suppose you could cut a bugfix release for this?