OAuth throws "missing code validator" in Google OAuth2

Question

I am following this example in an attempt to authenticate my users with the Google API.
Here is the relevant code I am using, almost exactly as in the example:

@app.route('/login/')
def login():
    flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
        'client_secret.json',
        scopes=['https://www.googleapis.com/auth/drive.file'])
    flow.redirect_uri = 'https://localhost:5000/oauth2callback/'
    authorization_url, state = flow.authorization_url(
        access_type='offline',
    include_granted_scopes='true')
    session['state'] = state
    return redirect(authorization_url)

#called by Google's oauth 
@app.route('/oauth2callback/')
def oauth2callback():
    state = request.args['state']
    # Use the client_secret.json file to identify the application requesting
    # authorization. The client ID (from that file) and access scopes are required.
    state = session['state']
    flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
        'client_secret.json',
        scopes=['https://www.googleapis.com/auth/drive.file'],
        state=state)
    flow.redirect_uri = url_for('oauth2callback', _external=True)

    authorization_response = request.url
    flow.fetch_token(authorization_response=authorization_response, code_verifier=False)

When I do this, it gives the error, oauthlib.oauth2.rfc6749.errors.InvalidGrantError: (invalid_grant) Missing code verifier.

I do not know what a code verifier is, nor did the examples mention one.

The stack trace is available if anyone thinks it will help

How can I solve this issue? Any help is appreciated!

Answer 1

This seems to be a bug in the 0.4.0 version of google-auth-oauthlib (see this upstream issue; note that it has been reported after this SO question was posted).

You have the following options:

1. As a workaround, you can downgrade the used version:

   pip install --upgrade google-auth-oauthlib==0.3.0
   

2. Pass a custom code verifier when instantiating google_auth_oauthlib.flow.Flow(), which should be a random string of 43-128 characters used to verify the key exchange using PKCE:

   oauth2_session, client_config = google_auth_oauthlib.helpers.session_from_client_secrets_file(
       'client_secret.json',
       scopes=['https://www.googleapis.com/auth/drive.file']),
   )
   flow = google_auth_oauthlib.flow.Flow(
       oauth2_session,
       client_type='web',
       client_config=client_config,
       redirect_uri='https://localhost:5000/oauth2callback/',
       code_verifier='<random string>'
   )
   

   Note: The code is for your login() function. You will have to slightly adjust it to work in your oauth2callback() function.
3. Wait until the bug is fixed in upstream (provided that it is a bug). After that, the code verifier will be auto-generated when not provided.