Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth - Invalid token: Request token used when not allowed

I'm trying to access Google's Documents List API 3.0 with OAuth 2.0 but I'm having some troubles with a 401 Error.

After user have accepted, my code is the following:

GoogleOAuthParameters oauthParameters = new GoogleOAuthParameters();
oauthParameters.setOAuthConsumerKey(CLIENT_ID);
oauthParameters.setOAuthConsumerSecret(CLIENT_SECRET);
oauthParameters.setOAuthToken(token);
oauthParameters.setOAuthTokenSecret(tokenSecret);
oauthParameters.setScope("https://docs.google.com/feeds/");

service = new DocsService("myapp");
service.setOAuthCredentials(oauthParameters, new OAuthHmacSha1Signer());

DocumentListFeed feed = service.getFeed(new URL("https://docs.google.com/feeds/default/private/full/?v=3"), DocumentListFeed.class);

Then, in the last line -getFeed()- throws the exception:

com.google.gdata.util.AuthenticationException: Token invalid - Invalid token: Request token used when not allowed.
<HTML>
<HEAD>
<TITLE>Token invalid - Invalid token: Request token used when not allowed.</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Token invalid - Invalid token: Request token used when not allowed.</H1>
<H2>Error 401</H2>
</BODY>
</HTML>

What's going on? On a static main test class works like a charm, but when I run it on the server this line does not works anymore. Any idea?


SOLVED

The access token needs to be retrieved this way, with a GoogleOAuthHelper, not with the GoogleOAuthParameters directly:

String accessToken = oauthHelper.getAccessToken(oauthParameters);
like image 848
xuso Avatar asked Apr 20 '12 08:04

xuso


People also ask

How do I fix invalid OAuth token?

There are two ways to fix the error: (RECOMMENDED) Change the application signature algorithm to RS256 instead of HS256. Change the value of your responseType parameter to token id_token (instead of the default), so that you receive an access token in the response.

What does invalid OAuth token mean?

This error means that the app has experienced an authentication problem and can't verify your account information. If it occurs, you'll be automatically signed out of your account. You need to sign in to your account to continue working on your projects.

Why does it say my token is invalid?

If you're trying to reset your password and you receive an error citing an “invalid token” or asking you for your token, it's likely that the link you clicked on to reset your password has expired. For security reasons, passwords are never sent out across the Internet.

Why OAuth Cannot be used for authentication?

Let's start with the biggest reason why OAuth isn't authentication: access tokens are not intended for the client application. When an authorization server issues an access token, the intended audience is the protected resource. After all, this is what the token is providing access to.


2 Answers

Here's how to add OAuth2.0 token to GData Service:

SpreadsheetService service = new SpreadsheetService("MySpreadsheetIntegration-v1");

service.setOAuth2Credentials(new Credential(BearerToken
    .authorizationHeaderAccessMethod())
    .setFromTokenResponse(new TokenResponse().setAccessToken(mToken)));

Make sure to import all the necessary libraries (which is a lot).

On Android token should be obtained using Google Play Services OAuth mechanism:

String token = GoogleAuthUtil.getToken(String email, String scopes);
like image 26
zavidovych Avatar answered Sep 26 '22 15:09

zavidovych


You are not using OAuth 2.0 but OAuth 1.0 with HMAC-SHA1 as the signature method. To use OAuth 2.0, you need at least version 1.47.0 of the gdata-java-client library and version 1.8.0-beta of the google-oauth-java-client library.

Using the google-api-java-client library provides helper classes to deal with Google's OAuth 2.0 implementation.

To retrieve OAuth 2.0 credentials, you can use this code snippet:

import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeRequestUrl;
import com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.auth.oauth2.GoogleTokenResponse;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson.JacksonFactory;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.Arrays;
import java.util.List;

public class MyClass {

  // Retrieve the CLIENT_ID and CLIENT_SECRET from an APIs Console project:
  //     https://code.google.com/apis/console
  static String CLIENT_ID = "<YOUR_CLIENT_ID>";
  static String CLIENT_SECRET = "<YOUR_CLIENT_SECRET>";
  // Change the REDIRECT_URI value to your registered redirect URI for web
  // applications.
  static String REDIRECT_URI = "urn:ietf:wg:oauth:2.0:oob";
  // Add other requested scopes.
  static List<String> SCOPES = Arrays.asList("https://docs.google.com/feeds");

  /**
   * Retrieve OAuth 2.0 credentials.
   * 
   * @return OAuth 2.0 Credential instance.
   */
  static Credential getCredentials() throws IOException {
    HttpTransport transport = new NetHttpTransport();
    JacksonFactory jsonFactory = new JacksonFactory();

    // Step 1: Authorize -->
    String authorizationUrl =
        new GoogleAuthorizationCodeRequestUrl(CLIENT_ID, REDIRECT_URI, SCOPES).build();

    // Point or redirect your user to the authorizationUrl.
    System.out.println("Go to the following link in your browser:");
    System.out.println(authorizationUrl);

    // Read the authorization code from the standard input stream.
    BufferedReader in = new BufferedReader(new InputStreamReader(System.in));
    System.out.println("What is the authorization code?");
    String code = in.readLine();
    // End of Step 1 <--

    // Step 2: Exchange -->
    GoogleTokenResponse response =
        new GoogleAuthorizationCodeTokenRequest(transport, jsonFactory, CLIENT_ID, CLIENT_SECRET,
            code, REDIRECT_URI).execute();
    // End of Step 2 <--

    // Build a new GoogleCredential instance and return it.
    return new GoogleCredential.Builder().setClientSecrets(CLIENT_ID, CLIENT_SECRET)
        .setJsonFactory(jsonFactory).setTransport(transport).build()
        .setAccessToken(response.getAccessToken()).setRefreshToken(response.getRefreshToken());
  }

  // …
}

Once you have the OAuth 2.0 credential, you can authorize a service object as follow:

// ...
import com.google.api.client.auth.oauth2.Credential;
import com.google.gdata.client.docs.DocsService;
import com.google.gdata.data.docs.DocumentListEntry;
import com.google.gdata.data.docs.DocumentListFeed;
import com.google.gdata.util.ServiceException;
// ...
import java.io.IOException;
import java.net.URL;
// ...

public class MyClass {
  // …

  /**
   * Print document entries using the provided authorized DocsService.
   * 
   * @param credential OAuth 2.0 credential to use to authorize the requests.
   * @throws IOException
   * @throws ServiceException
   */
  static void printDocuments(Credential credential) throws IOException, ServiceException {
    // Instantiate and authorize a new DocsService object.
    DocsService service = new DocsService("<YOUR_APPLICATION_NAME>");
    service.setOAuth2Credentials(credential);

    // Send a request to the Documents List API to retrieve document entries.
    URL feedUri = new URL("https://docs.google.com/feeds/default/private/full/");
    DocumentListFeed feed = service.getFeed(feedUri, DocumentListFeed.class);

    for (DocumentListEntry entry : feed.getEntries()) {
      System.out.println("Title: " + entry.getTitle().getPlainText());
    }
  }

  // ...
}

The CLIENT_ID, CLIENT_SECRET can be retrieved from the APIs Console and the REDIRECT_URI must match one that has been registered with your API Project.

like image 162
Alain Avatar answered Sep 25 '22 15:09

Alain