Google's OpenID Connect says: OAuth 2 parameters can only have a single value: client_id

Question

As part of the OpenID Connect (OAuth2 for Login), my application is supposed to request an access token, given a one-time authorization code, via the endpoint https://www.googleapis.com/oauth2/v3/token. According to documentation, this request needs 5 parameters passed to it, client_id among them. That is exactly what my application does, using the Perl module Net::OAuth2.

Everything has been working fine for several months, but today I was notified that it stopped working. No updates were made to the application code nor the libraries used by it.

The message my application now receives from the server when calling the token endpoint is this, in a 400 error response:

OAuth 2 parameters can only have a single value: client_id

A Google search suggests nobody has ever seen this message before, or lived to tell the tale. There doesn't seem to be a general issue with Google's OpenID Connect (other services based on it are working flawlessly), and the imminent shutdown of the old login protocol doesn't seem relevant.

More testing: removing all parameters except client_id causes this error message:

Required parameter is missing: grant_type

Supplying only client_id and grant_type produces the original error message again.

Does anyone have an idea what's going on here?

Answer 1

Google changed this behavior few days ago, so any OAuth2 library using Basic Auth headers AND body request parameters will start to see messages like

OAuth 2 parameters can only have a single value: client_id

or

OAuth 2 parameters can only have a single value: client_secret

So, you must now do NOT use both (the Auth headers and body request parameters) at the same time to send credentials to Google.

And according RFC 6749, the preferable way to send credentials is through Auth headers (thanks @JanKrüger for alert me about this).