Getting Invalid grant, malformed auth code while verifying token on server side

Question

We are trying to use Google OAuth in our product. The flow would be to get Client get the auth from the users and send the token to server. On server side I need to verify the token is valid. For now, I am using OAuth2Sample provided by Google as client. when I verify the sent token on server side, I am getting the following exception:

com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request

{
"error" : "invalid_grant",
"error_description" : "Malformed auth code."
}

at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)

at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287) at com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest.execute(GoogleAuthorizationCodeTokenRequest.java:158)

Here is the code on the server side:

GoogleTokenResponse tokenResponse =
              new GoogleAuthorizationCodeTokenRequest(
                  new NetHttpTransport(),
                  JacksonFactory.getDefaultInstance(),
                  "https://www.googleapis.com/oauth2/v4/token",

                  CLIENT_ID,
                  CLIENT_SECRET,

                  authToken, //Sent from the client
                  "")  // specify an empty string if you do not have redirect URL
                  .execute();

Here is how I get the accesstoken on the client side:

private static final List<String> SCOPES = Arrays.asList(
"https://www.googleapis.com/auth/userinfo.profile",
"https://www.googleapis.com/auth/userinfo.email");
//...

GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
        httpTransport, JSON_FACTORY, 
clientSecrets, //Client ID and Client Secret
SCOPES).setDataStoreFactory(
        dataStoreFactory).build();

LocalServerReceiver lsr = new LocalServerReceiver();
Credential cr = new AuthorizationCodeInstalledApp(flow, lsr).authorize("user");
return cr.getAccessToken(); //send this to server for verification

The token is not corrupted on the way to server and it is:

ya29.Glx_BUjV_zIiDzq0oYMqoXkxz8VGzt8GCQuBiaaJ3FxN0qaLxbBXvnWXjNKZbpeu4jraoEqw6Mj9D7LpTx_8Ts_8TH0VGT5cbrooGcAOF0wKMc1DDEjm6p5m-MvtFA

If I try to access profile and email from the client side, it works fine. Same token does not work on the server side gets malformed token exception.

Answer 1

I am using Node.js googleapis client library, Here is my case:

The authorization code in the url hash fragment is encoded by encodeURIComponent api, so if you pass this code to request access token. It will throw an error:

{ "error": "invalid_grant", "error_description": "Malformed auth code." }

So I use decodeURIComponent to decode the authorization code.

decodeURIComponent('4%2F_QCXwy-PG5Ub_JTiL7ULaCVb6K-Jsv45c7TPqPsG2-sCPYMTseEtqHWcU_ynqWQJB3Vuw5Ad1etoWqNPBaGvGHY')

After decode, the authorization code is:

"4/_QCXwy-PG5Ub_JTiL7ULaCVb6K-Jsv45c7TPqPsG2-sCPYMTseEtqHWcU_ynqWQJB3Vuw5Ad1etoWqNPBaGvGHY"

In Java, maybe you can use URLDecoder.decode handle the code.