OAuth2 authentication for appengine stopped working

Question

I have a periodic job that pulls data from my appengine datastore using remote api. This job suddenly stopped working because google decided not to like my server anymore. It works on my machine, though.

Here's what happens in a python shell on my machine:

$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from google.appengine.ext.remote_api import remote_api_stub
>>> app = 'qmagicobr2.appspot.com'
>>> remote_api_stub.ConfigureRemoteApiForOAuth(app, '/_ah/remote_api')
<google.appengine.tools.appengine_rpc_httplib2.HttpRpcServerOAuth2 object at 0x7f5cdfac61d0>
>>> 

And here's what happens with the same code on my server

(qmbi)dashboard@ip-172-31-32-222:~/qmbi$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from google.appengine.ext.remote_api import remote_api_stub
>>> app = 'qmagicobr2.appspot.com'
>>> remote_api_stub.ConfigureRemoteApiForOAuth(app, '/_ah/remote_api')
Go to the following link in your browser:

    https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.apis+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&client_id=None&access_type=offline

Enter verification code:

When I go to the URL above I get an error page that says:

401. That's an error. Error: invalid_client The OAuth client was not found. Request Details access_type=offline scope= https://www.googleapis.com/auth/appengine.apis https://www.googleapis.com/auth/userinfo.email response_type=code redirect_uri=urn:ietf:wg:oauth:2.0:oob client_id=None That's all we know.

Help?

---- UPDATE (2016-05-12) -----

I forgot to mention the authentication file I'm using. For ConfigureRemoteApiForOAuth to work I need to have an environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to a credentials file. I do. In both environments (my machine, and the server) GOOGLE_APPLICATION_CREDENTIALS points to a json file (the same file in both environments) with the following format:

{
  "type": "service_account",
  "project_id": "qmagicobr2",
  "private_key_id": "000000000000000000000000000000000000000",
  "private_key": "-----BEGIN PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAA....AAAA\n-----END PRIVATE KEY-----\n",
  "client_email": "dashboard@qmagicobr2.iam.gserviceaccount.com",
  "client_id": "0000000000000000000000",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dashboard%40qmagicobr2.iam.gserviceaccount.com"
}

This file was generated using Appengine's developer console, under "Credentials / Service Account Keys / Manage Service accounts"

Answer 1

So I just tested this particular use case and the fact that client id is none reveals a lot.

ConfigureRemoteApiForOAuth accepts using a service account with a key file, providing oauth2 params as an appengine_rpc_httplib2.HttpRpcServerOAuth2.OAuth2Parameters object where you can specify the client id , secret , scope etc. OAuth2Parameters Doc

But the easiest way to mitigate the situation though is to use the gcloud tool to properly authenticate your server:

gcloud auth login