Reputation: 18530
Google's OpenID Connect says: OAuth 2 parameters can only have a single value: client_id
As part of the OpenID Connect (OAuth2 for Login), my application is supposed to request an access token, given a one-time authorization code, via the endpoint https://www.googleapis.com/oauth2/v3/token. According to documentation, this request needs 5 parameters passed to it, client_id among them. That is exactly what my application does, using the Perl module Net::OAuth2.
Everything has been working fine for several months, but today I was notified that it stopped working. No updates were made to the application code nor the libraries used by it.
The message my application now receives from the server when calling the token endpoint is this, in a 400 error response:
OAuth 2 parameters can only have a single value: client_id
A Google search suggests nobody has ever seen this message before, or lived to tell the tale. There doesn't seem to be a general issue with Google's OpenID Connect (other services based on it are working flawlessly), and the imminent shutdown of the old login protocol doesn't seem relevant.
More testing: removing all parameters except client_id causes this error message:
Required parameter is missing: grant_type
Supplying only client_id and grant_type produces the original error message again.
Does anyone have an idea what's going on here?
Upvotes: 6
Views: 5230
Answers (2)
Reputation: 3542
Google changed this behavior few days ago, so any OAuth2 library using Basic Auth headers AND body request parameters will start to see messages like
OAuth 2 parameters can only have a single value: client_id
or
OAuth 2 parameters can only have a single value: client_secret
So, you must now do NOT use both (the Auth headers and body request parameters) at the same time to send credentials to Google.
And according RFC 6749, the preferable way to send credentials is through Auth headers (thanks @JanKrüger for alert me about this).
Upvotes: 3
Reputation: 438
Got the same error. It seems the problem is that NET::OAuth2 sets the authorization header when exchanging authorization code for access token. If you remove this header everything works fine.
Check the get_access_token method in Net::OAuth2::Profile::WebServer module. The authorization header includes client_id:client_secret base64-encoded string. Apparently Google now treats this duplication as an error.
The right way of fixing this is to set the secrets_in_params parameter when creating Net::OAuth2::Profile::WebServer object. Look in the Net::OAuth2::Profile documentation for more details.
Upvotes: 2
Related Questions
- invalid_client in google oauth2
- Google OAuth 2.0 failing with Error 400: invalid_request for some client_id, but works well for others in the same project
- Scope of user ID uniqueness in Google OAuth 2.0
- Do you generate a state parameter back or front end for an OAuth 2.0 request?
- Google open id connect
- Salesforce openID connect google failed login attempts
- How do I create a Google Oauth2 client_id that doesn't just return "Forbidden"?
- Googleplus authentication: OAuth 2 parameters can only have a single value: code
- GetOpenIdConnect returns Invalid Credentials
- Why can't I create multiple OAuth 2.0 client IDs for the same package name?