invalid_grant response from exchange of authorization code

Question

I am trying to authenticate my application to Google contacts API. I have gone though the first step in the Oauth2 flow and have an authorization code. I am trying to exchange this code for an access token and refresh token, but when i try to get Token from googleapis.com/oauth2/v4/token receive with

response : "invalid_grant" "Bad request" Error 400.

My code

try
        {
            Map<String,Object> params = new LinkedHashMap<>();
            params.put("grant_type","authorization_code");
            params.put("code", authCode);
            params.put("client_id",CLIENTE_ID);
            params.put("client_secret",CLIENTE_ID_SECRETO);
            params.put("redirect_uri","http://localhost:8080/conob/api2/contatos/insert");

            StringBuilder postData = new StringBuilder();
            for(Map.Entry<String,Object> param : params.entrySet())
            {
                if(postData.length() != 0){
                    postData.append('&');
                }

                postData.append(URLEncoder.encode(param.getKey(),"UTF-8"));
                postData.append('=');
                postData.append(URLEncoder.encode(String.valueOf(param.getValue()),"UTF-8"));
            }

            byte[] postDataBytes = postData.toString().getBytes("UTF-8");

            URL url = new URL("https://www.googleapis.com/oauth2/v4/token");
            HttpURLConnection con = (HttpURLConnection)url.openConnection();
            con.setRequestMethod("POST");
            con.setDoOutput(true);
            con.setUseCaches(false);
            con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            con.setRequestProperty("charset", "utf-8");
            con.setRequestProperty("Content-Length", postData.toString().length() + "");
            con.getOutputStream().write(postDataBytes);


            BufferedReader reader = null;
            try {
                reader = new BufferedReader(new InputStreamReader(con.getInputStream()));

                StringBuffer buffer = new StringBuffer();

                for (String line = reader.readLine(); line != null; line = reader.readLine()){
                    buffer.append(line);
                }

                JSONObject json = new JSONObject(buffer.toString());
                String accessToken = json.getString("access_token");

                return accessToken;
            } catch (Exception e) {
                reader = new BufferedReader(new InputStreamReader(con.getErrorStream()));

                StringBuffer buffer = new StringBuffer();

                for (String line = reader.readLine(); line != null; line = reader.readLine()){
                    buffer.append(line);
                }

                System.out.println(buffer.toString());
                System.out.println(e.toString());
            }

        }
        catch (Exception ex)
        {
            ex.printStackTrace(); 
        }
        return null;

Parameters output:

grant_type=authorization_code&code=AUTHORIZATION_CODE&client_id=CLIENTE_ID&client_secret=CLIENTE_SECRET&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fconob%2Fapi2%2Fcontatos%2Finsert

I'm searching for many hours in many forums but not conclude a solution for my problem.

Basically, my app needs to insert new contact on a google accounts in company intranet.

My question is what the response is "invalid_grant"?

Good code and thanks since now;

Answer 1

In the OAuth2 spec, "invalid_grant" is sort of a catch-all for all error response related to invalid/expired/revoked tokens (auth grant or refresh token).

common causes

1. User has actively revoked access to our app
2. User has reset/recovered their Google password In December 2015, Google changed their default behavior so that password resets for non-Google Apps users would automatically revoke all the user's apps refresh tokens. This is not true for all apis contacts is not one of them but i thought i would note it anyway.

Apart from those, there's a myriad of other potential causes that could trigger the error:

3. Server clock/time is out of sync
4. Not authorized for offline access
5. Throttled by Google
6. Using expired refresh tokens
7. using an expired authorization code.
8. User has been inactive for 6 months
9. Incorrect or invalid refresh token
10. Use service worker email instead of client ID
11. Too many access tokens in short time
12. Client SDK might be outdated

Endpoint

I realize that the discovery document says googleapis.com/oauth2/v4/token but for some reason this end point does not always work try using accounts.google.com/o/oauth2/token

redirect_uri_mismatch

Means that the redirect uri you are sending with your request http://localhost:8080/conob/api2/contatos/insert is not one of the ones you have added in the Google developer console. You need to go back to the google developer console and add this redirect uri.

Note you may want to consider working with the google people api its a much easier api to work with then the old google contacts api.