Some (but not all) Google accounts consistently respond with a 401 when trying to access the Google Calendar API despite tokeninfo telling me the access token I'm using has the proper scope (see curl output below). I can successfully obtain a new access token using a refresh token, but the calendar api continues to 401.
Does anyone have an idea why this might be happening?
$ curl -v https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[redacted]
* Trying 216.58.195.74...
* Connected to www.googleapis.com (216.58.195.74) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.googleapis.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /oauth2/v3/tokeninfo?access_token=[redacted] HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: Mon, 01 Jan 1990 00:00:00 GMT
< Date: Tue, 18 Oct 2016 22:00:45 GMT
< Vary: X-Origin
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
<
{
"azp": "[redacted].apps.googleusercontent.com",
"aud": "[redacted].apps.googleusercontent.com",
"sub": "[redacted]",
"scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/calendar",
"exp": "1476831626",
"expires_in": "3581",
"email": "[redacted]",
"email_verified": "true",
"access_type": "offline"
}
* Connection #0 to host www.googleapis.com left intact
$ curl -v https://www.googleapis.com/calendar/v3/users/me/calendarList?access_token=[redacted]
* Trying 216.58.195.74...
* Connected to www.googleapis.com (216.58.195.74) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.googleapis.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /calendar/v3/users/me/calendarList?access_token=[redacted] HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Vary: X-Origin
< WWW-Authenticate: Bearer realm="https://accounts.google.com/", error=invalid_token
< Content-Type: application/json; charset=UTF-8
< Date: Tue, 18 Oct 2016 22:01:14 GMT
< Expires: Tue, 18 Oct 2016 22:01:14 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
<
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
* Connection #0 to host www.googleapis.com left intact
I was able to reproduce the situation by creating a google apps user whose sub-organization has Google Calendar turned off. Google will still allow the user to grant calendar access and will indicate the scope has been granted but will 401 in the way described when you try to call any Google Calendar API endpoints with their access token.
Google, please make your error message clearer or prevent the initial scope grant when requesting access to an app that has been turned off by an administrator!
This was happening for my client, even with Google Calendar enabled.
Turns out they'd let the free 14 day trial expire, and hadn't entered a credit card for payment. Error disappeared once they'd sorted that.
Related
I am testing a Firebase Message to my project. I am using the OAuth 2.0 playground to send the payload to the "messages:send" rest API.
However, when sending the request it is returns with "500 internet server error".
I do the same thing on another identical project (with a different project ID naturally) and it works with no problem. Does anyone know why?
I have enabled the API service in Google cloud.
The only difference is that I am logged in to a different Firebase Google account as they are 2 different projects for 2 separate clients.
EDIT: Additional information - this is only occurring when using Tokens generated from the Microsoft Edge browser. User tokens provided through Firefox and Chrome work fine.
HTTP Method: POST
Request URI: https://fcm.googleapis.com/v1/projects/myprojectnamehere/messages:send
Request:
POST /v1/projects/myprojectnamehere/messages:send HTTP/1.1
Host: fcm.googleapis.com
Content-length: 867
Content-type: application/json
Authorization: Bearer yj29.a0AV...........(removed for example code)
{
"message": {
"token": "thetokenId...(removed for example code)",
"data": {
"body":"Body of Your Notification in data",
"title":"Title of Your Notification in data",
"image":"http://image.shutterstock.com/image-vector/sample-stamp-rubber-style-red-260nw-1811246308.jpg",
"icon":"http://image.shutterstock.com/image-vector/sample-stamp-rubber-style-red-260nw-1811246308.jpg",
}
}
}
Response:
HTTP/1.1 500 Internal Server Error
Content-length: 253
X-xss-protection: 0
X-content-type-options: nosniff
Transfer-encoding: chunked
Vary: Origin, X-Origin, Referer
Server: scaffolding on HTTPServer2
-content-encoding: gzip
Cache-control: private
Date: Wed, 24 Aug 2022 14:17:43 GMT
X-frame-options: SAMEORIGIN
Alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Content-type: application/json; charset=UTF-8
{
"error": {
"status": "INTERNAL",
"message": "Internal error encountered.",
"code": 500,
"details": [
{
"errorCode": "INTERNAL",
"#type": "type.googleapis.com/google.firebase.fcm.v1.FcmError"
}
]
}
}
When making requests to the Google OAuth2 API according to their documentation/guide, I keep getting 401 Unauthorized responses from https://accounts.google.com/oauth2/v4/token even though I swear I'm giving all the required fields:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 311
Content-Type: application/x-www-form-urlencoded
client_id=REDACTED
&client_secret=REDACTED
&code=REDACTED
&grant_type=authorization_code
&redirect_uri=https%3A%2F%2Flocalhost%2Fsso%3Fredirect%3D%252F
Response:
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
Vary: X-Origin
Vary: Referer
Date: Wed, 03 Jul 2019 16:14:15 GMT
Server: scaffolding on HTTPServer2
Cache-Control: private
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: quic=":443"; ma=2592000; v="46,43,39"
Accept-Ranges: none
Vary: Origin,Accept-Encoding
Transfer-Encoding: chunked
{
"error": "invalid_client",
"error_description": "Unauthorized"
}
I've checked and triple-checked my client_id, client_secret, authorized hosts and redirect_uri, and looked through similar problems on stack overflow, but nothing seems to work... why is this happening to me :(
It's because Google's guide/documentation are lying to you. That's not the right endpoint, and instead of saying so, it's giving you that extremely unhelpful error message. Hopefully, they'll be made aware of this SO post/answer and fix it. To find out the actual URL to use to obtain an authorization token, you can click on the "Download JSON" button on your credentials' view page on console.developers.google.com, instead of just copy/pasting the client_id and client_secret. Then you'll get something that looks like this:
{
"web": {
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"client_id": "REDACTED",
"client_secret": "REDACTED",
"javascript_origins": [
"https://localhost"
],
"project_id": "REDACTED",
"redirect_uris": [
"https://localhost/sso?redirect=%2F"
],
"token_uri": "https://oauth2.googleapis.com/token"
}
}
and there you have it. The REAL token URI.
I was getting following response after making a curl request to an endpoint
HTTP/2 200
date: Mon, 24 Jun 2019 10:11:39 GMT
content-type: text/html; charset=UTF-8
content-length: 1952
server: nginx
x-powered-by: Express
cache-control: public, max-age=0
last-modified: Tue, 21 May 2019 10:11:37 GMT
vary: Accept-Encoding
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-xss-protection: 1; mode=block;
accept-ranges: bytes
Ultimately, I don't want accept-ranges: bytes , instead it must be "accept-ranges: none"
I tried following in the nginx configurations
server {
.....
.....
.....
location / {
......
......
max_ranges 0;
proxy_force_ranges on;
......
}
}
What could be the possible issue ?
Did you tried removing "proxy_force_ranges on" ? It enables byte-range support for responses from the proxied server regardless of the “Accept-Ranges” field in these responses.
I have a problem that relates to the authentication with the google.
I followed the tutorials and finally managed to reach google site where I can select the choose an account section. Then I select one and get redirect to the local address: https://localhost:44377/signin-google?state ...
but there I get:
An unhandled exception occurred while processing the request.
Exception: OAuth token endpoint failure: Status: Unauthorized;Headers: Cache-Control: max-age=0, private
Date: Sat, 10 Feb 2018 22:14:21 GMT
Transfer-Encoding: chunked
Accept-Ranges: none
Server: GSE
Vary: X-Origin, Origin, Accept-Encoding
WWW-Authenticate: Bearer realm="https://accounts.google.com/"
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303338; quic=51303337; quic=51303335,quic=":443"; ma=2592000; v="41,39,38,37,35"
;Body: {
"error": "invalid_client",
"error_description": "Unauthorized"
}
;
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler+d__12.MoveNext()
Any help in investigating this would be very helpful.
I get an error when initializing a RavenDB documentstore that contains a machinename in the URL, combined with specifying a non default database i.e Multitenant.
I can only get store.Initialize() to work if I do not specify a default database.
My ConnectionString is http://somemachinename:8080;ResourceManagerId=d5723e19-92ad-4531-adad-8611e6e05c8b
Following code fails
var store = new DocumentStore
{
ConnectionStringName="RavenDB,
DefaultDatabase="TNW_Grc_CLient",
EnlistInDistributedTransactions=false
}
store.Initialize(); // fails with the following exception
with this message
Message = "Value cannot be null.\r\nParameter name: g"
Scenario:
a) The first time (if the database does not yet exist) this is called,
the call succeeds and I note that the raw http response is:
HTTP/1.1 201 Created
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip
Location: /docs/Raven/Databases/TNW_Grc_Client
Server: Microsoft-HTTPAPI/2.0
Raven-Server-Build: 427
Date: Fri, 26 Aug 2011 19:45:23 GMT
X-Charles-Received-Continue: HTTP/1.1 100 Continue
Expires: 0
Cache-Control: no-cache
{"Key":"Raven/Databases/TNW_Grc_Client","ETag":"00000000-0000-0300-0000-000000000001"}
b) The second time the call fails. Debugging some, it appears the etag header is not sent from
the server but is somehow expected by the client code:
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip
Server: Microsoft-HTTPAPI/2.0
Raven-Server-Build: 427
Date: Fri, 26 Aug 2011 19:48:10 GMT
Expires: 0
Cache-Control: no-cache
{"Id":null,"Settings":{"Raven/DataDir":"~\\Tenants\\TNW_Grc_Client"}}
You can specify values on the connection string or on the document store properties, not both at the same time.