Scopes validation error on oauth1 3lo to oauth2 tokens migration

Question

I get error on oauth1 to oauth2 token migration: Requested scopes have not been previously approved..

Scopes https ://docs.google.com/feeds/
https ://spreadsheets.google.com/feeds/
https ://docs.googleusercontent.com/

were authorized for oauth1 tokens and that was enough for GAMv1 to GAMv2 migration (target OAuth2 scope is https ://www.googleapis.com/auth/drive).

I tried to use api which is described in https://developers.google.com/accounts/docs/OAuth_ref

This is example of my request:

POST /o/oauth2/token HTTP/1.1 Authorization: OAuth realm="", oauth_signature="ZFA3Cx8Gxyz4YRmELO6uu2urOsM%3D", oauth_nonce="618148508599347", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="XXXXXX.apps.googleusercontent.com", oauth_token="YYYY", oauth_timestamp="1386762587" Content-Type: application/x-www-form-urlencoded Content-Length: 248 Host: accounts.google.com Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Amigration%3Aoauth1&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&client_id=TTTTTTT.apps.googleusercontent.com&client_secret=ZZZZZZZZZZZZZ

Also, other important question in my situtation: Is it possible to convert the following scopes: https ://www.googleapis.com/auth/userinfo.email and https ://www.googleapis.com/auth/userinfo.profile

if oauth1 token authorized for https ://docs.google.com/feeds/ only?
I am asking because in google apps marketplace configuration, for example, these scopes are default, and can't be removed. So it will be great to get these scopes after token migration.

Answer 1

It is not possible to change the list of approved scopes during the migration. The exception being the case in which downscoping is desired. So, if an OAuth1 token is valid for scopes A,B,C, it is possible to "downsope" it to an OAuth2 token containing only A, or B, or C (or any combination of those) by including the scope parameter in the migration request. If the scope parameter is not present, then the migrated OAuth2 token will contain the same scopes as the original OAuth1 token.

On the other hand, if the request contains a scope that is not included in the list of approved scopes of the OAuth1 token, the the requests will fail -- this being the case with your migration request (as the www.googleapis.com/auth/drive scope is not included in your OAuth1 token).

Hope that helps!

Answer 2

OAuth1 to OAuth2 migration does not affect the set of scopes that your application has been authorized to. Most scopes are not specific to OAuth1 or OAuth2. Scopes indicate which APIs / datasets the user (or in this case, the corporate / small business IT administrator) has granted access to your application. The only exception is that some APIs can only accept OAuth2 (and hence there are some scopes that are only really useful in OAuth2 tokens).

In other words, if you want to migrate your grants from OAuth1 to OAuth2 the same set of scopes will be migrated. If you need to access a new API (in your case it appears you're looking for a new scope to call the Google Drive API), you'd need to that the OAuth1 tokens already include the drive scope for succesful migration.