Google Oauth2 的 invalid_grant 错误问题

Question

Cheers everybody, we have been deeply reading google documentation on exchanging access_token from google in order our (delphi)desktop application to SSO with google from server side. Here is the payload we send first look like:

https://accounts.google.com/o/oauth2/v2/auth?client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&state=E1DF2FBA-0A66-4D69-B594-5EB8F7828AF7&scope=openid+profile&include_granted_scopes=true&code_challenge=C832DA50-E55A-499D-89B8-493BB4123C94&login_hint=test@Speelkriebel.be

Normally after this it redirects me to login in to our test user and after this according to the documentation we send a POST request to the end point token in order to get the access_token and refresh_token...: 'https://oauth2.googleapis.com/token with the following parameters, the 'code' is generated we also send it as follow:

 client_id=1000217514248-t1lojs6f8ed7l9ocrpbm98leahtum8n1.apps.googleusercontent.com grant_type=authorization_code client_secret=****** code= 4/1AY0e-g4GlavO38PI5Oo3vq04Pc4lMWN77et-02UiVWOsT-IyRQnU1lq19qo redirect_uri = urn:ietf:wg:oauth:2.0:oob

The response is always

 { "error_description": "Missing code verifier.", "error": "invalid_grant" }

We have tried to send the client secret id also, Does it have to do with our code_challenge? are the end points url and initial url okay? What are we missing? We are using CEF4Delphi as "browser like experience in order for the user to type in their google credentials. We have been reading this: https://developers.google.com/identity/protocols/oauth2/web-server#offline We were also trying the playground: https://developers.google.com/oauthplayground/ we were sending the initial url in a chrome which generated a "code" and in the playground we inserted the code, and still got the same error of missing code verifier.

Thanks Guys

Answer 1

You seam to have URL encoded a lot of the values try not doing that. Also try using the basic call, before you start adding everything else. It should help you figure out which one of those extra parameters you are sending that's causing your issues.

https://accounts.google.com/o/oauth2/auth?client_id={clientid}&redirect_uri=urn:ietf:wg:oauth:2.0:oob&scope=profile&response_type=code

Also make sure that the client id is from an installed / other type client

This may also help Google 3 Legged OAuth2 Flow

Answer 2

For installed apps, the code challenge and verifier are parameters for enhancing the security of the OAuth flow through PKCE [1].

There is additional documentation about generating a code challenge and verifier here [2].

[1] https://tools.ietf.org/html/rfc7636

[2] https://developers.google.com/identity/protocols/oauth2/native-app#step1-code-verifier