Issue while generating access token using OAuth2 Service Accounts

7
votes

We're having an issue in generating access token using OAuth2 Service Account for Google Apps marketplace users. The token generated here would be used in accessing Google APIs(Contacts, Calendar, Mail, Admin SDK APIs) and thus all the Google Integrations within our Services are failing. This has started failing abruptly from March 9th 8AM PST. Can you please consider this as high priority and let us know the reason for the issue or if we have missed something here. We are getting API response as 

{ "error": "invalid_request" }

Please find the below sample request with all the headers and params for 2 sample requests for "https://www.googleapis.com/oauth2/v4/token"(as in documentation) and "https://accounts.google.com/o/oauth2/token" endpoints. Both result in a error message with responses { "error": "internal_failure", "error_description": "Invalid Value"} and { "error": "invalid_request" } respectively.

P.S: The service email address,private key files used for generating the below signature in the sample requests works if we use respective Google Client libraries. But we are making use of Google's REST APIs. We've created a sample application in Google APIs console for testing with new service account details and this results in the same exception.

URL:

https://www.googleapis.com/oauth2/v4/token

Headers:

Content-Type:application/x-www-form-urlencoded

BODY:

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjQvdG9rZW4iLCJzdWIi OiJqYWdzQHNvbHV0aW9udGVzdC5jb20iLCJzY29wZSI6Imh0dHBzOi8vbWFpbC5nb29nbGUuY29t LyIsImlzcyI6IjQ2OTU3MTY1OTAxNUBkZXZlbG9wZXIuZ3NlcnZpY2VhY2NvdW50LmNvbSIsImV4 cCI6MTQ1NzU5NTkwMCwiaWF0IjoxNDU3NTkyMzAwfQ==.VrsqS0nYSUVZn_SwMi7UJEYLDqRcWLzPrF9o6av-t1IYZbRkTybEdcnwWeUfnYXl_F88gFTllmRg LSTBahM5gqpZrEAaWrRiDEVTo6rcN3hWm7MHcmZbwgdJB8B0ObV0Ivp5aTdLC5HcqsOumJvYpDCF SyGU8StSg9pDujERzOo=

Response:

code:400 { "error": "internal_failure", "error_description": "Invalid Value" }

URL:

https://accounts.google.com/o/oauth2/token

Headers:

Content-Type:application/x-www-form-urlencoded

BODY:

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJodHRwczovL3d3dy5nb29nbGVhcGlzLmNvbS9vYXV0aDIvdjQvdG9rZW4iLCJzdWIi OiJqYWdzQHNvbHV0aW9udGVzdC5jb20iLCJzY29wZSI6Imh0dHBzOi8vbWFpbC5nb29nbGUuY29t LyIsImlzcyI6IjQ2OTU3MTY1OTAxNUBkZXZlbG9wZXIuZ3NlcnZpY2VhY2NvdW50LmNvbSIsImV4 cCI6MTQ1NzU5NTkwMCwiaWF0IjoxNDU3NTkyMzAwfQ==.VrsqS0nYSUVZn_SwMi7UJEYLDqRcWLzPrF9o6av-t1IYZbRkTybEdcnwWeUfnYXl_F88gFTllmRg LSTBahM5gqpZrEAaWrRiDEVTo6rcN3hWm7MHcmZbwgdJB8B0ObV0Ivp5aTdLC5HcqsOumJvYpDCF SyGU8StSg9pDujERzOo=

Response:

code:400 { "error": "invalid_request" }

EDIT:Sample request as in the documentation. This code was working for us for the past 2 years and suddenly it stopped working yesterday.

POST /oauth2/v4/token HTTP/1.1 Host: www.googleapis.com Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU3MzM4MSwiaWF0IjoxMzI4NTY5NzgxfQ.ixOUGehweEVX_UKXv5BbbwVEdcz6AYS-6uQV6fGorGKrHf3LIJnyREw9evE-gs2bmMaQI5_UbabvI4k-mQE4kBqtmSpTzxYBL1TCd7Kv5nTZoUC1CmwmWCFqT9RE6D7XSgPUh_jF1qskLa2w0rxMSjwruNKbysgRNctZPln7cqQ

1
google-apigoogle-appsgoogle-apps-marketplacegoogle-authenticationservice-accounts
Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. See: How to create a Minimal, Complete, and Verifiable example.DaImTo
@DalmTo My question clearly states that we're having an issue in generating access token from the documentation link provided developers.google.com/identity/protocols/… But we are seeing error message as "{ "error": "invalid_request" }"Jagadeesh
Create a small example hunk of code that fails and post that so we can help you debug it. Without seeing your code no one can help you fix it.DaImTo
We suddenly started having the same issue on the 9th of March! Can someone in google please share some light in this??and_apo
@Andreas Google has confirmed that there is some issue on their side. Will update on the status hereJagadeesh

1 Answers

0
votes

It worked after changing the sun.misc.BASE64Encoder encoding part in my code for generating jwt token.

byte[] encode = BASE64Encoder.encode(data).replaceAll("\n", "").getBytes();

(or)

Change your BASE64Encoder encoding part while generating jwt token from sun.misc.BASE64Encoder to org.apache.commons.codec.binary.Base64 as

Base64 encoder = new Base64();
byte[] encode = encoder.encodeBase64(data);

Add comments if you anyone need any clarifications.

This solution was provided by Google.