Google Cloud Print - Authorization Code exchange gives 401: unauthorized_client

Question

I am trying to create a C# project that will walk a user through the registration of a new Google Cloud Print Printer. I've read every piece of documentation and troubleshooting I can find, and I'm still stumped.

Full details of Google's instructions can be read here.

The flow is supposed to go like this:

1. Printer makes an unauthenticated request to /register
2. Printer directs user to an invite URL
3. User logs in and claims printer
4. Printer polls a Url until user claims
5. Once claimed, printer gets an Auth Code
6. Printer exchanges Auth code for Access/Refresh tokens

I'm having trouble with step 6, as it always returns a 401: unauthorized_client error.

As I understand it from the documentation, at step 1, Google is creating a "Robot" (or Service) account for the printer, and the user is only associating themselves with this account as the owner. The printer is supposed to have its own access token to utilize the cloud print API and receive XMPP messages (jobs, etc.).

I have a theoretical work-around by having the user explicitly allow my project access to the /cloudprint and /googletalk APIs, then using the access and refresh tokens from the user's login to control the printer, but I'm afraid the robot account's JabberId will be inaccessible, as I have never exchanged the Auth code successfully.

I've been mostly using https://apigee.com/console/others to simulate the various http posts to Google, so I don't really have any code to show at the moment. Here is the POST for Step 6 being sent (with my client IDs hidden):

POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Length: 250
X-Target-URI: https://accounts.google.com
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive

client_id=xxxxxxxxxx-xxxxxxxxxxxxxxxx.xxxxxxxxxxxx.apps.googleusercontent.com&
redirect_uri=oob&
client_secret=xxxxxxxxxxxxxxxxxxx-xxxxxxxxx&
grant_type=authorization_code&
code=4/ql0tDrttiY-xxxxxxxxxxxxxxxXXXXXXXXXxxxxxxxxxxxx

Please note that this exact same request works perfectly when I get an auth code for a specific user that grants access to the APIs. I can also retrieve fresh access tokens utilizing the refresh token, though that API isn't quite correctly documented either; I need to replace "code" with "refresh_token", but the error message it gave was at least useful.

One other piece of information is that in Google Developer's Console, my Client ID is for a "native application", which wasn't specified anywhere in the documentation but seems to be heavily implied by the default (and unchangeable) Redirect Uris. I have tried using a Client Id for a Web Application, and I get the same result.

Thank you in advance for any clues or help you can give me.

Answer 1

So, I think I've discovered what the issue is.

During Step 4 (when I retrieve the Authorization Code), Google takes whatever value you give it for the OAuth_client_id parameter, without checking to see that it's actually a valid Client ID. I had an extra space in the URL parameter, which I didn't notice and no error was given. The Auth Code returned must have incorporated this space as part of the Client ID it was expecting in Step 6, which I was not (of course) providing. I only discovered my mistake by recreating everything from scratch.

Hope this helps someone else in the future.

Here are the POSTs I was making, for anyone looking for examples:

POST to /Register that creates a new printer

Follow returned complete_invite_url link and claim the printer with your Google account.

POST to Polling URL

POST to OAuth2 API

POST to /delete to clean up

Good luck to everyone using this API!