Error 400: invalid_scope "https://www.googleapis.com/auth/chat.bot"

Question

The documentation for the new google hangouts chat says that you need to authorize the scope https://www.googleapis.com/auth/chat.bot to do pretty much anything.

Here's the error:

While generating an authentication URL using their OAuth2 client I get the message that the scope is invalid. I don't have that problem if I use https://www.googleapis.com/auth/chat or some other scope like the one for google plus.

When I try to google things on in the API Explorer no combination of the URL or parts of the URL work either.

Here is my code to fetch the URL, seems to work just fine for everything else:

var {google} = require('googleapis');
var OAuth2 = google.auth.OAuth2;

var oauth2Client = new OAuth2(
  "clientid-idididid.apps.googleusercontent.com",
  "_secretsuff",
  "http://localhost:3000/auth/google/callback"
);

var scopes = [
    "https://www.googleapis.com/auth/chat", //Works
    "https://www.googleapis.com/auth/chat.bot"  // Does not work
];

var url = oauth2Client.generateAuthUrl({
  access_type: 'offline',
  scope:  scopes,
});

console.log(url);

Answer 1

In case others are running across this problem I think I've figured this out. Google doesn't seem need this auth scope enabled by a domain user because it's already authorised on the domain when your testing your bot. The "authorisation" of these scopes are dictated by users in a domain adding/removing bots from spaces.

I'll go into a bit of detail if you're confused.

When you create a bot in the console for an organisation https://console.cloud.google.com/apis/api/chat.googleapis.com/ your bot is added to the domain and can be added to spaces by users. If then go over to to the credentials and create a service account you can use that json file credentials to access the API as your bot. The code below gets a list of the people in a space.

var { google } = require('googleapis');
var chat = google.chat("v1");

var key = require('./google_service-account-credentials.json');

var jwtClient = new google.auth.JWT(
  key.client_email,
  null,
  key.private_key,
  ['https://www.googleapis.com/auth/chat.bot'], // an array of auth scopes
  null
);

jwtClient.authorize(function (err, tokens) {
  chat.spaces.members.list({
    auth: jwtClient,
    parent: "spaces/AAAAD4xtKcE"
  }, function (err, resp) {
    console.log(resp.data);
  });
});

If you try to get a list of members on other spaces (and other domains) the bot will fail with the exact same error message:

"Bot is not a member of the space."

I assume if you list your bot on the marketplace and it gets added to different domains and spaces google's API makes sure that your bot can do what it's trying to do on a space by space basis. It would be annoying have to setup some authentication flow after a bot has already been added for it to do its job. This is also probably why the current REST api doesn't let you list spaces under domains, it's not the paradigm this API works under.

Answer 2

It may have to do with one of the following:

1. The scope is created for service accounts. Make sure you are accessing the REST API with a service account.
2. Make sure that the bot is added to the room or space and has access to what you want it do.
3. Make sure the Service account is part of the bot project that you are using for the bot.