AppAuth-iOS: INVALID_ARGUMENT errors showing up
I’m not sure if this is related to issue #288 but I’m now seeing this all of a sudden on an app that’s been unchanged for a few months. Notice the %20 in the scope below, could this be tripping Google up again? Can someone please get Google to stop making these changes without thinking through? This is the third time in 12 months that our apps have stopped working all of a sudden.
OAuth: request failed: <OIDTokenRequest: 0x6100008b6200, ClientID: 506211136043-6tslfe4ok4ib6faeh9i07qgo1f39uenr.apps.googleusercontent.com, Secret? 24 Scope: email https://www.googleapis.com/auth/carddav, Grant: refresh_token, request: <URL: https://www.googleapis.com/oauth2/v4/token, HTTPBody: grant_type=refresh_token&scope=email%20https://www.googleapis.com/auth/carddav&refresh_token=1/G3BaNEf4R0QiP3O-8lmP1nxz0xW8KmKlSmlgvvuMsEC&client_id=503211136043-6tslfe4ok4ib6faeh9i02qgo1f39uenr.apps.googleusercontent.com&client_secret=OgHS5U0O5dVn0i96t1acNk1e>> (<NSMutableURLRequest: 0x618000015ca0> { URL: https://www.googleapis.com/oauth2/v4/token }) => <NSHTTPURLResponse: 0x60000063f380> { URL: https://www.googleapis.com/oauth2/v4/token } { status code: 400, headers {
"Cache-Control" = private;
"Content-Encoding" = gzip;
"Content-Length" = 129;
"Content-Type" = "application/json; charset=UTF-8";
Date = "Wed, 26 Sep 2018 22:44:56 GMT";
Server = ESF;
Vary = "Origin, X-Origin, Referer";
"alt-svc" = "quic=\":443\"; ma=2592000; v=\"44,43,39,35\"";
"x-content-type-options" = nosniff;
"x-frame-options" = SAMEORIGIN;
"x-xss-protection" = "1; mode=block";
} } (server error: Error Domain=org.openid.appauth.remote-http Code=400 "{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}
" UserInfo={NSLocalizedDescription={
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}
})
2018-09-26 15:44:56.301 -2- OAuth: underlying json error: {
error = {
code = 400;
message = "Request contains an invalid argument.";
status = "INVALID_ARGUMENT";
};
}
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 1
- Comments: 26 (7 by maintainers)
AppAuth 0.95.0 includes a fix to the issue which cause the crash yesterday, also tightens up some handling around the “scope” param during token refresh to guard against future changes (AppAuth was sending the scope param unnecessarily during refresh). I highly recommend updating to this version.
Note that you will need to carry your own patches for client authentication if you wish to do it in the HTTP body.
@rhwu yes, the team at Google is aware of the breakage and are actively working on a fix. The “old behavior” (Basic Auth) is actually still supported (and required by the RFC), so in theory you don’t need to take any action and this will be resolved shortly server-side. But if you need to fix it immediately, then that patch is the way to go (and is safe to use in any case).