Google_Client::fetchAccessTokenWithAuthCode fails to fetch the token but does not throw.

[slepic]

Hello,

we have recently deployed google oauth authentication to register/login users to our application.
It works quite well, but sometimes we get the following error:

Google_Service_Exception
{
  "error": {
    "code": 401,
    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "errors": [
      {
        "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
        "domain": "global",
        "reason": "unauthorized"
      }
    ],
    "status": "UNAUTHENTICATED"
  }
}

The code that triggers this error looks like this:

$this->client->fetchAccessTokenWithAuthCode($code);
$userInfo = $this->oauth->userinfo->get();

The $this->client is an instance of Google_Client and $this->oauth is instanceof Google_Service_Oauth2. As I already said it works fine for most cases, but sometimes the exception is thrown. And so I believe the client setup is ok and therefore I'm not including it here. What seems strange to me, is that the error is thrown by the Google_Service_Oauth2_Resource_Userinfo::get() and not by Google_Client::fetchAccessTokenWithAuthCode().

And so I want to ask 2 things:

• why isnt an error thrown by the call to fetchAccessTokenWithAuthCode already?
• and what this situation actualy means? Is it when the user declines to grant the access? But that would seem strange, because the auth code is present in the request to our app and looks like any other regular auth code. One thing I noticed, there is also a query parameter prompt with value consent - not sure what it means and not sure if it is there in the cases when everything works fine, since we are not logging anything when it works....

[jdpedrie]

It's a bit hard to tell what the application flow is from what you've provided. Are you requesting access and immediately fetching the user data, or is there a delay? Is the $code coming from the user auth flow, or are you caching it and trying to use it to gain fresh access tokens on the fly?

Can you provide more of the setup, specifically related to how you're configuring the oauth access requests?

[slepic]

Well the setup is done with a nette DI container builder like this (I hope it is obvious how it ultimately is done):

$oauthClient = $builder->addDefinition($this->prefix('oauth.client'))
			->setType(\Google_Client::class)
			->addSetup('setApplicationName', [$config['name']])
			->addSetup('setAuthConfig', [$oauthConfig])
			->addSetup('addScope', [$config['scopes']]);
		$builder->addDefinition($this->prefix('oauth.service'))
			->setType(\Google_Service_Oauth2::class)
			->setArguments([$oauthClient]);

EDIT:
Actualy found better in cache (the nulls are not really there in production):

$service = new Google_Client;
$service->setApplicationName(null);
$service->setAuthConfig(['client_id' => null, 'client_secret' => null, 'redirect_uris' => [null]]);
$service->addScope(['email', 'profile']);

and

$service = new Google_Service_Oauth2($this->getService('google.oauth.client'))

EDIT END

Yes, the $code is coming directly from the auth grant flow, after the user should have authorized our app the access to the provided scopes (just email and profile really) and is redirected to the configured redirect uri.
On this endpoint we immediately fetch acces token, obtain user info and even revoke the token. So these 3 lines are really immeditely after each other (no caching, no other code in between):

$this->client->fetchAccessTokenWithAuthCode($code);
$userInfo = $this->oauth->userinfo->get();
$this->client->revokeToken();

But we just sometimes get the exception on the second line.

[slepic]

Oh and "version": "v2.2.2"

[slepic]

And here is how we use the client to redirect the user to the gogle auth server:

$previousState = $this->client->getConfig('state');
$this->client->setState($state);
$url = $this->client->createAuthUrl();
$this->client->setState($previousState);
return $url;

The $state there is something we generate and hash, and on the redirect uri endpoint this is already verified before we are fetching the access token from the $code.

[meredithslota]

There were some minor bug fixes to auth in v2.2.3 (re: new auth URLs), v2.2.4 (re: documentation for cached auth tokens), and v2.4.1 (re: removing duplicated code) but a larger feature update in v2.12.2 (re: allowing the credentials object). I'm wondering if any of these fixed your issue?

[slepic]

@meredithslota Well, wow, this is really an old issue. We have updated the lib about 5 times since. Now we are running v2.12.1 and I don't remember when I have last seen this error. It's definitely not in our 14 day log history now :) I will reopen the issue if i see it ever again, but that seems unlikely at this point.