Google API Rest: Exchange authorization code for refresh and access tokens - error 404

7
votes

I get 404 errors while following step by step the "Using OAuth 2.0 for Web Server Applications" help page. Using OAuth 2.0 for Web Server Applications

I use http/rest requests.

Everything is OK until step 5 : "Exchange authorization code for refresh and access tokens".

My request (POST or GET) returns a 404 error: "Not Found". Here is my request, the same as in the guide:

https://www.googleapis.com/oauth2/v4/token?
code=4/_XXXXXXXXXXXXXXXXXXX__XXXXXXXXXXXXXX-XXXXXX?&client_id=012345678912-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.apps.googleusercontent.com&client_secret=XXXXXXXXXXXXXXXXXXX_XXXX&grant_type=authorization_code&redirect_uri=http%3a%2f%2fwww.mydomain.com%3a50000%2fMyPage

Here is the related part of the guide:

"To exchange an authorization code for an access token, call the https://www.googleapis.com/oauth2/v4/token endpoint and set the following parameters:

Fields

code The authorization code returned from the initial request.

client_id The client ID obtained from the API Console.

client_secret The client secret obtained from the API Console.

redirect_uri One of the redirect URIs listed for your project in the API Console.

grant_type As defined in the OAuth 2.0 specification, this field must contain a value of authorization_code."

I think there is a problem with the service URL. Am I wrong?

Can any one provide the working URL?

2
oauthgoogle-apigoogle-oauth

2 Answers

6
votes

A working request would be 

POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-length: 233
content-type: application/x-www-form-urlencoded
user-agent: google-oauth-playground
code=4%2FKxoYTS-jeq5-d6Lv7YvSz9ZrK0pJ_5lZsMExzNC1M0o&redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&client_id=407408718192.apps.googleusercontent.com&client_secret=************&scope=&grant_type=authorization_code

Note that:-

  1. It's a POST so the code= etc is the request body, not the URL.
  2. Because it's a post, make sure the content-type header is correct, ie. "application/x-www-form-urlencoded"
  3. If the Access Code contains non-alphanumerics, eg. the "/" in the second character, it needs to be URL-encoded. This is often done by the http library you are using (eg. jquery, Angular $http, etc). Check the wire to see if it's being done correctly
  4. I doubt very much that the Authorization Code contains a question mark. If (and only if) it does, it needs to be URL encoded.
3
votes

Step two in the auth flow is a HTTP POST.

https://www.googleapis.com/oauth2/v4/token
code={The code from step one}&client_id={ClientId}&client_secret={ClientSecret}&redirect_uri={RedirectURI}&grant_type=authorization_code

The main difference I see is that you have a ? tacked on the end of the URL which is not needed. Remember you need to post the string exactly as I have show it with the &'s as a string.

This is my tutorial on Google 3 Legged OAuth2 Flow it might help