Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google Drive OAuth 2 flow giving invalid_scope error

My Google Drive app requests the following scopes when exchanging a code for an access token:

https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/drive.install

In particular, this is the query string of the URL that is eventually being requested from Google during the exchange:

code=XXXXXXXXXX&grant_type=authorization_code&redirect_uri=XXXXXXXXXXX& scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file+ https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email +https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile +https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install &client_id=XXXXXX.apps.googleusercontent.com&client_secret=XXXXXX

The response is a 400 error, with the error message "invalid_scope". What am I doing wrong?

[Edit] Additional information:

The error only happens when the user clicks through from Google Drive to create a new document. If I initiate the authentication/authorization flow from my own app, the list of scopes is accepted just fine. If the user clicks through the actual Drive app to create a new document, I get invalid_scopes.

The invalid scope is drive.install. If I remove that from the list of requested scopes when the user shows up to create a new document, things start working again. Does that make any sense at all? If the user has the Drive app installed already via us requesting that scope, why would requesting that same scope when the user shows up from the Drive app cause a problem of any kind?

like image 341
Ben Dilts Avatar asked May 19 '13 09:05

Ben Dilts


1 Answers

I experienced a similar problem. The solution was to pass an array of scopes to the google client:

google_client.authorization.scope=[
'https://www.googleapis.com/auth/calendar.readonly',
'https://www.googleapis.com/auth/drive.appdata'] 

rather than a concatenated string of scopes

google_client.authorization.scope="https://www.googleapis.com/auth/calendar.readonly%2Bhttps://www.googleapis.com/auth/drive.appdata" 

The GET request in the Rails log looked identical, but the result was very different!

like image 176
kpg Avatar answered Sep 28 '22 00:09

kpg