-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Batch request for oauth2 token requests returns 400 Bad Request error #605
Comments
@SwapnaReddyL Can you please show the full traceback and error message? |
@tseaver It's http error "<HttpError 400 when requesting https://www.googleapis.com/oauth2/v4/token returned "Bad Request">" Here is what i found in response content : --batch_gHThtkbBoB8_AAJxz-pPuhE HTTP/1.1 400 Bad Request { --batch_gHThtkbBoB8_AAJxz-pPuhE-- I couldn't retrieve stack trace information on http error, but attaching screenshot of captured error. |
@SwapnaReddyL Do you have a specific reason for interacting with the OAuth2 API directly? In general, we recommend using one of the client libraries to interact with the OAuth2 endpoint. google-auth is the currently maintained library for Python. |
@busunkim96 its a legacy code in our application, i'm just trying to update code to use new_http_batch_request api with oauth2 service. |
Hoping to get some help on this, as this is blocking us on to proceed with google api client upgrade and affecting dependent teams. |
@SwapnaReddyL The batching looks correct to me (Batch requests in Python). Note that if you are putting more than 1000 calls in the batch request you will need to make multiple batch requests. It looks like it's the individual requests that don't have the correct fields.
A refresh request needs A refresh request should look like this:
And returns a response
|
If you do decide to use google-auth, the object will refresh the access token as needed. https://developers.google.com/identity/protocols/OAuth2WebServer#offline
This guide walks through how to use google-auth: OAuth2.0 for Web Server Applications |
I still see same issue with request matching to documentation ` POST /oauth2/v4/token HTTP/1.1 client_secret=<client_secret_key>&client_id=<client_id>&refresh_token=&grant_type=refresh_token ` And same request works fine when we directly invoke BatchHttpRequest.init instantiation which uses "https://www.googleapis.com/batch" batch_uri . It is failing when we create batch request using new_batch_http_request and in this case batch_uri is "https://www.googleapis.com/batch/oauth2/v2" |
Is there input on this batch request failure for "https://www.googleapis.com/batch/oauth2/v2" batch uri? |
Hey @SwapnaReddyL. Sorry about the confusion, I'm still learning about this myself. To summarize, it looks like things are working as intended. I would recommend you read all of OpenID Connect, which explains the OAuth2.0 flow from beginning to end. The Google OAuth2 API only deals with the To get a refresh token, you need to make requests to the |
@busunkim96 thanks for information. But nested requests in batch does use token_endpoint "POST /oauth2/v4/token HTTP/1.1" . Is the oauth2 service build('oauth2', 'v2', http=LoggingHttp()) right batch service for nested token requests? I also tried with "v1" version and by passing discoveryservice url manually "oauth_service = build('oauth2', 'v1', http=LoggingHttp(), discoveryServiceUrl='https://{api}.googleapis.com/$discovery/rest?' I see "HTTP/1.1 404 Not Found" issue now. |
I am doing some more investigating internally to see if this is the intended behavior. Unfortunately it may be a while because of the approaching holidays in the US. For now, you should be able to make a batch request to the token endpoint using raw HTTP requests.
|
We were doing batch request by directly invoking BatchHttpRequest.init initialization method, which actually uses "https://www.googleapis.com/batch". The reason we are trying to switching to new_http_batch_requests is due to WARNING seen after api client library upgrade. "You have constructed a BatchHttpRequest using the legacy batch " |
Yes, the global batch endpoint is being turned down. Please try https://oauth2.googleapis.com/batch which seems to be the batch endpoint for the token endpoint |
No luck yet. I still see 404 Not found with "Invalid Request" error. |
Could you provide a code snippet and/or the requests and responses you're getting? |
Please try the following combination of URIs BatchHttpRequest URI:
I suspect other combinations will work. It looks like what matters is that the outer BatchHttpRequest's URI and the inner request URI's match. BatchHttpRequest URI: OR BatchHttpRequest URI: |
I had shared request body in the same thread.
|
I received your response right after my comment, i will try out those combinations and let you know. But can you also take look at the body params in my comment? |
I tried "https://oauth2.googleapis.com/batch and https://oauth2.googleapis.com/token" combinations I see following with different body that i had explained above:
` Response is HTTP/1.1 400 Bad Request { `
` Response is --batch_X8Tdwmm-Kh72Cc16wMPR-4W5kX-v1QZg HTTP/1.1 401 Unauthorized { |
The body should like like the second one you have.
Everything looks fine except for the Is there a
https://developers.google.com/identity/protocols/OAuth2WebServer#exchange-authorization-code |
@busunkim96 thanks for your continuous support! |
Hi @busunkim96 , thanks for the helps on this issue. Some clarification w.r.t the context. The way we are using is More specifically, our service accounts use So the problem sounds like the NEW Token URL you provided somehow doesn't like the token request coming from BatchHttpRequest URI: https://oauth2.googleapis.com/batch Yes, our legacy code is heavily relying on But on the other hand, from what I can see that the latest google-auth library(replacement of With this additional information added, do you have any suggestion ? Any help would be highly appreciated. thank you -Bobby |
@busunkim96 @tseaver I'm sharing a script which helps to reproduce the issue that we see in our application to refresh access token using oauth2client service account and googleapiclient.http BatchHttpRequest . Also it might helpful to know, if there is a way to find source code for these new oauth2 token end points to debug. Here is the script that simulates our workflow to reproduce the issue and error
|
@bobbycloudlock Ah that makes sense. This is the guide on the OAuth 2.0 guide with service accounts, in case you haven't seen it yet. OAuth 2.0 for Service Accounts The JWT grant_type works fine with the token endpoint
Response:
Note that the error is @SwapnaReddyL’s script looks like it’s trying to use the OAuth2Credential’s method to refresh the token, which is separate from the service account flow. You should reference the function |
@busunkim96 during run time oauth2client/serviceaccount.py:: _generate_assertion method is invoked to generate assertion. With that we see invalid_grant error Following is the error message: /Users/swareddy/Documents/GitHub/platform-core2/npvenv/bin/python /Users/swareddy/Documents/GitHub/quickstart-python/drive/driveapp/oauthReq.py But we do use "https://oauth2.googleapis.com/token" in our request, as per your suggestion. Script references to "https://oauth2.googleapis.com/token" |
@busunkim96 Please provide your input on error message shared in previous message. Assertion code generated by same script works with legacy batch uri and "https://www.googleapis.com/oauth2/v3/token" api end points. |
Please confirm that the |
@busunkim96 by changing I'm going to integrate changes in our product and hoping things would work. |
@busunkim96 based on our last solution in terms of updating audiences list, token batch request was working with Note we are using following version of libs: Following is the stack trace: /Users/swareddy/Documents/GitHub/platform-core2/npvenv/bin/python /Users/swareddy/Documents/GitHub/quickstart-python/drive/driveapp/oauthReq.py Process finished with exit code 1 |
There was an internal bug, but it looks like it has been resolved as of today. Please let us know if you have any other problems. |
Thanks for confirming. Works now. |
Edit: Moved to #853 @busunkim96 Done. Thanks. |
@himalr Please open a new issue with your question. Repository maintainers are less likely to see posts to already-closed issues. Thanks. |
I'm using google api client 1.7.4 with python 2.7 and unable to make successful batch requests with new_batch_http_request api. I keep getting 400 Bad Request error
After debugging google api client lib, final request body is following :
`--===============6159072106655335965==
Content-Type: application/http
MIME-Version: 1.0
Content-Transfer-Encoding: binary
Content-ID: <943c8367-618b-4817-97d1-fe4f4005af25+0AL0173QlVaLoUk9PVA%40%40%3F%7C%3F%40%40administrator%40testcloudlockprimary1.com>
POST /oauth2/v4/token HTTP/1.1
Content-Type: application/json; charset=utf-8
MIME-Version: 1.0
Host: www.googleapis.com
content-length: 715
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<assertion_code>
`
Here is what code looks like :
###code to build batch request and nested requests#######
` logger.info('Refreshing credentials for %s users', len(creds_to_refresh))
###methods generating request body and headers###
`
The text was updated successfully, but these errors were encountered: