Google OAuth2.0 returns 'invalid_request' when getting access_token with PHP cURL

Question

I'm experiencing the same issue described here" POST using CURL in PHP gives invalid request Error. Before coming across that post my code was already setup like the accepted answer.

// First I get the access code like so
function get_oauth_code($wpoa) {
    $params = array(
        'response_type' => 'code',
        'client_id' => CLIENT_ID,
        'scope' => SCOPE,
        'state' => uniqid('', true),
        'redirect_uri' => REDIRECT_URI,
    );
    $_SESSION['WPOA']['STATE'] = $params['state'];
    $url = URL_AUTH . http_build_query($params);
    header("Location: $url");
    exit;
}

$params = array(
    'grant_type' => 'authorization_code',
    'client_id' => CLIENT_ID,
    'client_secret' => CLIENT_SECRET,
    'code' => $_GET['code'],
    'redirect_uri' => REDIRECT_URI,
);
$url_params = http_build_query($params);
$url = URL_TOKEN . $url_params;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $params);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, (get_option('wpoa_http_util_verify_ssl') == 1 ? 1 : 0));
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, (get_option('wpoa_http_util_verify_ssl') == 1 ? 2 : 0));
        $result = curl_exec($curl);

When I first attempt to login this works fine, but then if I logout and reattempt (not every time, but consistently enough), it return the following error response

Array ( [error] => invalid_request )

Because of the following comment on that answer I thought perhaps the access_code was being reused some how but I ran an unset just to make sure and the problem still persist. Here is proof to that when receive the invalid_request error I do in fact have an access code:

Array( 
    [state] => 57c8b107a5a021.27458568 
    [code] => 4/Q8bswW3yheJ6tLFQnTd-pkfG6zVdbMk9UehgroR7f60 
)

I'm new to OAuth in general but have been dealing with it all week so getting pretty familiar but hoping someone out there knows more than me to help me figure this out. I want to make sure that the user will never experience an issue logging in because of some session details within the server side script.

Note: This is in collaboration with Perry Butler's WP-OAuth plugin

Answer 1

I'm not as familiar with google oauth as I'd like to be to answer this question is authority, but a few problems I see from your code.

1, you have a lot of defines that are clearly outside of the scope of this code. 2, your url is being appended with all the params that are supposed to be applied to the post of the request.

First thing I'd try is to change this line:

$url = URL_TOKEN . $url_params;

To:

$url = URL_TOKEN;

Add some debugging in the request as well, and show the $url that's being called. There doesn't appear to be anything outside of the norm.