Google oauth1 migration to oauth2: Invalid authorization header

Question

I am stuck with the oauth1 migration to oauth2. I don't want to ask my users to grant contact access again, so I prefer to do migration myself but I am getting hard time figuring out why it doesn't work.

I'm getting this error from Google server:

DEBUG -  << "  "error" : "invalid_request",[\n]"
DEBUG -  << "  "error_description" : "Invalid authorization header."[\n]"

here is my code, I did almost the same thing when consuming google api, but for migration it is not working.

GoogleOAuthParameters oauthParameters = new GoogleOAuthParameters();
oauthParameters.setOAuthConsumerKey(getConsumerKey());
oauthParameters.setOAuthConsumerSecret(getConsumerSecret());
oauthParameters.setOAuthToken(token);

ClassPathResource cpr = new ClassPathResource("mykey.pk8");
File file = cpr.getFile();
PrivateKey privKey = getPrivateKey(file);

OAuthRsaSha1Signer signer = new OAuthRsaSha1Signer(privKey);
GoogleOAuthHelper oauthHelper = new GoogleOAuthHelper(signer);

String requestUrl = "https://www.googleapis.com/oauth2/v3/token";

String header = oauthHelper.getAuthorizationHeader(requestUrl, "POST", oauthParameters);

String payload = "grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&client_id="+com.app.framework.utils.OAuthHelper.OAUTH2_CLIENT_ID+"&client_secret="+com.app.framework.utils.OAuthHelper.OAUTH2_CLIENT_SECRET;

HttpClient httpClient = new DefaultHttpClient();

HttpPost httpPost = new HttpPost(requestUrl);
httpPost.addHeader("Authorization", header);
httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
httpPost.setEntity(new ByteArrayEntity(payload.getBytes()));
String response = httpClient.execute(httpPost, new BasicResponseHandler());

Answer 1

After some emails exchange with @Miguel, he successfully points me to the solution.

The issue:

The OAuthHelper that GoogleOAuthHelper extends uses TwoLeggedOAuthHelper to build the base_string. The TwoLeggedOAuthHelper was not injecting 3 required parameters: client_id, client_secret and the grant_type in the base_string.

The solution:

I had to create my own classes: copy/paste code from OAuthHelper to MyOAuthHelper and from TwoLeggedOAuthHelper to MyTwoLeggedOAuthHelper. You need some declarations from GoogleOAuthHelper to resolve compilation errors.

MyOAuthHelper will call MyTwoLeggedOAuthHelper instead of TwoLeggedOAuthHelper.

Now in MyTwoLeggedOAuthHelper, around line 79, locate the

String baseString = OAuthUtil.getSignatureBaseString(baseUrl, httpMethod,…

and add the following:

String clientId = "client_id%3DXXX123456789XXX.apps.googleusercontent.com%26";
String clientSecret = "client_secret%3DXXXX_XXXX_XX_XX%26";
String grantType = "grant_type%3Durn%253Aietf%253Aparams%253Aoauth%253Agrant-type%253Amigration%253Aoauth1%26";

baseString = StringUtils.replace(baseString, "token&", "token&" + clientId + clientSecret + grantType);

Some notes:

• client_id and client_secret must be the one your backend used to get the OAUTH1 access token. Be careful with that especially if you have multiple "Client ID for web application" defined in your Google console.

• Notice the crazy grant_type encoded twice.

• The Google classes used are located in maven: com/google/gdata/core/1.47.1/core-1.47.1.jar

Kudos to @Miguel

Answer 2

Your request is failing signature verification. Please check out the responses to this related question for detailed instructions on how to construct the base string for your request and sign it.

Hope that helps!