Obtaining code via gapi.auth2.authorize doesn't return a valid code #175
Description
I'm able to reproduce the issue like this:
- I have an anchor on my HTML page which leads to google's auth server. Google will respond with a redirect URL, this URL will contain the code.
- I input this code into the
curlcommand below:
curl -v -H "Origin: https://localhost:8080" -H "Content-Type: application/x-www-form-urlencoded" \
-X POST --data-urlencode "client_id=myclientid" \
--data-urlencode "client_secret=mysecret" \
--data-urlencode "redirect_uri=http://localhost:8080/google/auth" \
--data-urlencode "grant_type=authorization_code" \
--data-urlencode "code=4/0AY0e-g6bddl0EjaWbmov2ExohWV2NTPAbUQ--wHPvZUiW_4bx26vu-bx1NGEngz29RKboQ" \
https://oauth2.googleapis.com/token
- Running this command will return an access_token
OK this works. So now I want to do the exact same thing with javascript.
This is the code:
function onGLoad() {
gapi.load('auth2', function() {
gapi.auth2.authorize({
client_id: 'myclientid',
scope: 'profile email',
response_type: 'code',
prompt: 'none'
}, function(response) {
if (response.error) {
console.log('Google responded with an error: ' + response.error);
} else if (response.code) {
console.log(response.code);
}
});
});
}I take response.code and input it into the same curl command as above. I'll get an error like this:
{
"error": "redirect_uri_mismatch",
"error_description": "Bad Request"
}To be sure, the redirect_uri is correct. Is this a bug in google's AS?
The code which I get via the HTML anchor looks like this:
4/0AY0e-g5ic3wkiIf3I1AQ0t2oIP0w8u4WtRMm-G-gRE83hSKtLwyBfd18sZ-NkdJQXjHmyg
and the code I get via Javascript looks like this:
4/0AY0e-g6bddl0EjaWbmov2ExohWV2NTPAbUQ--wHPvZUiW_4bx26vu-bx1NGEngz29RKboQ
(eg. no visible difference)
I was checking the network traffic to see what Google's JS is doing and the only difference from the HTML anchor seems to be sending the undocumented ss_domain parameter. However, adding that to my curl command does nothing, so the issue probably lies elsewhere.