How to fix the "Malformed auth code" when trying to refreshToken on the second attempt?

Question

I'm developping an Android App with Angular and Cordova plugins and I want to integrate it with Google Authentication. I have installed the cordova-plugin-googleplus and I have successfully integrated into the application. When the user logs in, I get a response where I can get accessToken, profile user information and refreshToken.

Now I want to implement a feature to refresh the token without disturbing the user with a new prompt screen every hour.

I have managed to renew accessToken, but it only works the first time

I have used these two ways:

1. Sending a curl request with the following data

curl -X POST \
  'https://oauth2.googleapis.com/token?code=XXXXXXXXXXXXXXXX&client_id=XXXXXXXXXXXXXXXX.apps.googleusercontent.com&client_secret=YYYYYYYYYYYY&grant_type=authorization_code' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded'

2. Implementing it on the server side using the Google API Client Library for Java and following mainly these code

The point is that when the user logs in for the first time (using the cordova-plugin-googleplus), I receive a refreshToken with this format

4/rgFU-hxw9QSbfdj3ppQ4sqDjK2Dr3m_YU_UMCqcveUgjIa3voawbN9TD6SVLShedTPveQeZWDdR-Sf1nFrss1hc

If after a while I try to refresh the token in any of the above ways I get a successful response with a new accessToken, and a new refreshToken. And that new refreshToken has this other format

1/FTSUyYTgU2AG8K-ZsgjVi6pExdmpZejXfoYIchp9KuhtdknEMd6uYCfqMOoX2f85J

In the second attempt to renew the token, I replace the token with the one returned in the first request

curl -X POST \
  'https://oauth2.googleapis.com/token?code=1/FTSUyYTgU2AG8K-ZsgjVi6pExdmpZejXfoYIchp9KuhtdknEMd6uYCfqMOoX2f85J&client_id=XXXXXXXXXXXXXXXX.apps.googleusercontent.com&client_secret=YYYYYYYYYYYY&grant_type=authorization_code' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded'

But this time, both ways (Curl and Java) I am getting the same error.

{
  "error" : "invalid_grant",
  "error_description" : "Malformed auth code."
}

I read on this thread that was a problem to specify the clientId as an email, but I have not discovered how to solve it either because the first login it's done with the client id 'XXXXXXX.apps.googleusercontent.com' and if I set an email from the google accounts it says that is an "Unknown Oauth Client"

I hope any can help me with this, as I'm stuck for several days

Answer 1

In my case it was pretty stupid: google api changes the auth code coding between requests.

Step 1 - During the first request to obtain tokens google returns quite normal, not encoded string as the code.

Step 2 - During second and N-th request to obtain tokens (if they were not revoked) google returns the auth code as url-encoded. In my case the killing change was '/' -> '%2F'.

Solution: Always URL-Decode the auth code before exchanging it for the access tokens!