google hybrid protocol authentication issue

Question

I've been successfully using OAuth1.0+OpenID Hybrid protocol for authentication with Google and thereafter using its services.

However, I am facing an error for a specific user account. My current flow:

1. Perform Discovery

2. redirect user to provider with OpenID and OAuth parameters (like : https://accounts.google.com/o/openid2/auth?https://accounts.google.com/o/openid2/auth?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&.....&openid.ns.ext2=http://specs.openid.net/extensions/oauth/1.0&openid.ext2.consumer=mywebsite.com&openid.ext2.scope=https://picasaweb.google.com/data+https://www-opensocial.googleusercontent.com/api/people/+http://www.google.com/m8/feeds/)

3. Once, user successfully authenticates and approves permission request, application returns back to my specified callbackurl long with a string similar to aforesaid request from which I extract authorization token from "openid.ext2.request_token" and then obtain access token by passing it.

However for a specific user account, instead of passing result as stated above after successful authentication and grant of permission, google redirects to some URL https://accounts.google.com/o/openid2/approval?xsrfsign=AC9jObYAAAAATpF6x6S6Ac7MfHaZ and then back to my application without any parameter in query string.

Same code works fine for other accounts. I'm not able to identify what special can be for one account (except that I created it just last month). As a note, this happens only when I include picasa in scope. If I exclude picasa, it works.

Please help on this.

Answer 1

Was able to fix this issue by adding a request_token request. strangely, it works without having this request for most of the accounts. However for new accounts created I had to explicitly set this parameter in request. Once, this parameter was set, instead of redirecting user to xsrfsign.. URL, I got user details and request token.