AppAuth-Android icon indicating copy to clipboard operation
AppAuth-Android copied to clipboard

Published 20 hours ago verified publisher icon openid

[QUESTION] Token refresh on Google service returns 'Bad Request'

Open geekarist opened this issue 6 years ago • 4 comments

I'm trying to use AuthState.performActionWithFreshTokens() to call a Google web service when my auth token has expired.

It seems that AuthState.performActionWithFreshTokens() uses the scope of the latest auth response and sends it to https://www.googleapis.com/oauth2/v4/token.

So when I do that, I get a Bad Request from v4/token because in the case of a token refresh, it doesn't expect a scope, as the documentation mentions: https://developers.google.com/identity/protocols/OAuth2InstalledApp#offline

I have tried to work around this by clearing the scope that is used by performActionWithFreshTokens() before refreshing my auth token, but the field is private so I can't override AuthState for this. Here is the code of my app: https://github.com/geekarist/who-am-i/blob/cdd5cf9cdfff02de02b6e8a467ea98e36e834a94/app/src/main/java/me/cpele/whoami/ProfileViewModel.kt#L31

Is there any other way?

geekarist avatar Oct 10 '18 07:10 geekarist

Finally I was able to subclass AuthState and override createTokenRefreshRequest() to make it work.

See this code: https://github.com/geekarist/who-am-i/commit/4b7f3b4fdfd6e21badc057d51edb418151daa25f

I think it should be easier to override this behavior so I'm keeping this issue open.

geekarist avatar Oct 11 '18 06:10 geekarist

The OAuth2 spec permits sending a scope string as part of the refresh request, as long as the set of scopes this represents is not disjoint from what was originally requested. @WilliamDenniss should I file a bug for this with Google, or do you think we should omit the inclusion of the scope string in refresh requests?

iainmcgin avatar Oct 11 '18 15:10 iainmcgin

Upon discussing this with the other maintainers, we believe it would be best to change AppAuth's behavior to not include the scope string in token refresh requests by default. We have no clear recollection as to why we were including this, when not including it should produce the same behavior. It is possible that we were working around some IDP-specific bug in the early days.

iainmcgin avatar Oct 12 '18 17:10 iainmcgin

Seems like iOS version of appauth does not send scopes on token refresh: github link

Currently we see some inconsistency in that sense between iOS and Android version. Is it something that planned to do?

atkit avatar Apr 17 '19 12:04 atkit