Google OAuth Code Contains Hashtag

3
votes

In my attempts to get the necessary code so I can generate my refresh token, I ran this URL:

https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/drive.file&redirect_uri=--mywebsite--&response_type=code&client_id=--myclientid--

And my received code contains a trailing hash tag, which throws an (expected) error when I try to execute:

<cfhttp url="https://accounts.google.com/o/oauth2/token" method="post">
    <cfhttpparam name="code" value="4/UXF5F5TlIuFsXrav-DvIrebMR8NST9WK-EPmThmx7l0#" type="formfield"> <!-- Sample code value -->
    <cfhttpparam name="client_id" value="--myclientid--" type="formfield">
    <cfhttpparam name="client_secret" value="[client secret]" type="formfield">
    <cfhttpparam name="redirect_uri" value="--mywebsite--">
    <cfhttpparam name="grant_type" value="authorization_code" type="formfield">
</cfhttp>

ColdFusion was looking at the following text:

formfield

The CFML compiler was processing:

  • An expression that began on line 2, column 86.
    The expression might be missing an ending #, for example, #expr instead of #expr#.
  • The tag attribute value, on line 2, column 34.
  • A cfhttpparam tag beginning on line 2, column 10.

I tried adding a second hashtag to make it literal but I receive { "error" : "invalid_grant", "error_description" : "Invalid code." } response.

Am I missing something painfully obvious here? The tutorial I was following is at http://www.brandiandjohn.com/post.cfm/oauth-2-google-and-cfml-without-cfoauth

3
coldfusionoauth-2.0google-drive-apicoldfusion-10
I think this might be a red herring. You are correct in doubling the hashtag. That will make ColdFusion send a single hashtag to Google. My guess is that there is something else wrong here.Miguel-F
You are right. I did find a solution.justacoder

3 Answers

1
votes

In order to continue with the existing code, you need to escape #. You can do that, by adding an extra # at the end. For eg

<!--- 
    <cfset value="4/UXF5F5TlIuFsXrav-DvIrebMR8NST9WK-EPmThmx7l0#">
    <cfoutput>#value#</cfoutput>
    Error
 --->
<cfset value="4/UXF5F5TlIuFsXrav-DvIrebMR8NST9WK-EPmThmx7l0##">
<cfoutput>#value#</cfoutput>
Output: 4/UXF5F5TlIuFsXrav-DvIrebMR8NST9WK-EPmThmx7l0#

So, you can try the below code:-

<cfhttp url="https://accounts.google.com/o/oauth2/token" method="post">
        <cfhttpparam name="code" value="4/UXF5F5TlIuFsXrav-DvIrebMR8NST9WK-EPmThmx7l0##" type="formfield"> <!-- Sample code value -->
        <cfhttpparam name="client_id" value="--myclientid--" type="formfield">
        <cfhttpparam name="client_secret" value="[client secret]" type="formfield">
        <cfhttpparam name="redirect_uri" value="--mywebsite--">
        <cfhttpparam name="grant_type" value="authorization_code" type="formfield">
    </cfhttp>
1
votes

The hashtag error was a red herring. I got around this by making the call to get the code and then the access token as a single action. By passing in url.code I received the necessary credentials.

  <cfhttp url="https://accounts.google.com/o/oauth2/token" method="post">
        <cfhttpparam name="code" value="#url.code#" type="formfield">
        <cfhttpparam name="client_id" value="--myclientid--" type="formfield">
        <cfhttpparam name="client_secret" value="[client secret]" type="formfield">
        <cfhttpparam name="redirect_uri" value="--mywebsite--">
        <cfhttpparam name="grant_type" value="authorization_code" type="formfield">
    </cfhttp>

<cfdump var="#foo.filecontent#">

Manually pasting the code into the cfhttpparam tag, even without the hashtag, would throw a 400 error. This way, it does not.

0
votes

The user agent that sent you the code should have stripped the "#" character, see: Google OAuth service redirects to URL with a # sign at the end. Apparently it did not (and as such that user agent is broken) but you can strip it manually in your code before sending if off.