google/googleapis.dart

clientViaUserConsent gives 400: invalid_request due to loopback flow

Closed this issue · 3 comments

fvanmeeteren commented

I've recently revisited an old project of mine from 2021, which hadn't been upgraded in a while (I was using v1.1.0, which makes use of clientViaUserConsent A LOT. Unfortunately, after upgrading to v1.6.0, my requests to Google are being blocked with an error 400: 'invalid_request due to loopback flow'.

I've been trying for ages to find a fix and I'm running out of ideas. The problem seems to be with the fact that clientViaUserConsent always uses localhost for its redirect_uri. This is of course no longer allowed.

Specifically the following bit inside: googleapis_auth/lib/src/oauth2_flows/authorization_code_grant_server_flow.dart

AuthorizationCodeGrantServerFlow(
//...

  @override
  Future<AccessCredentials> run() async {
    final server = await HttpServer.bind('localhost', listenPort);

    try {
      final port = server.port;
      final redirectionUri = 'http://localhost:$port'; //this is the culprit right?
      final state = randomState();
      final codeVerifier = createCodeVerifier();

      // Prompt user and wait until they goes to URL and the google
      // authorization server calls back to our locally running HTTP server.
      userPrompt(
        authenticationUri(
          redirectionUri,
          state: state,
          codeVerifier: codeVerifier,
        ).toString(),
      );

//...

As for my own code, I don't think I'm doing anything different than the example:

       //Launch the official permission window from google
    prompt(String url) async {
      if (await canLaunchUrl(Uri.parse(url))) {
        await launchUrl(Uri.parse(url));
      } else {
        throw 'Error - Could not launch $url';
      }
    }

    //Grab the permission credentials 
    try {
      clientViaUserConsent(_credentials, _scopes, prompt)
          .then((AuthClient client) {

//...

Please note that switching to the google_sign_in package seems impossible with how much I'm relying on clientViaUserConsent throughout my entire application...

kevmoo commented

Have you figured this out?

fvanmeeteren commented

@kevmoo, unfortunately, nope. I ended up rewriting the entire application using the Google Sign In package. For others who find this, I would consider clientViaUserConsent as deprecated.

kevmoo commented

@fvanmeeteren – oh yeah, you should NOT use this for a Flutter app!!