tokeninfo 400 response during Complete the Google Login

fela

Hi

I git stuck while configuring login with google identity provider. I am using my own login page and getting the code from Google.

When I use /api/identity-provider/login API with PHP client it fails with error:
code: [ExternalAuthenticationException]GoogleTokenInfo
message: A request to the Google Token Info API has failed. Unable to complete this login request.

I turned on debug for events logging and I can see that FA gets token correctly

Google IdP Response Debug Log [82339786-3dff-42a6-aac6-1f1ceecb6c46]

1/18/2022 11:21:54 PM GMT Using code and redirect_uri with login method UseRedirect:
1/18/2022 11:21:54 PM GMT Call the [https://oauth2.googleapis.com/token] endpoint.
1/18/2022 11:21:54 PM GMT Endpoint returned status code [200]
1/18/2022 11:21:54 PM GMT Endpoint response:
{
  "access_token" : "ya29.........CWC",
  "expires_in" : 3599,
  "scope" : "https://www.googleapis.com/auth/cloud-platform.read-only",
  "token_type" : "Bearer"
}
1/18/2022 11:21:54 PM GMT Call the [https://www.googleapis.com/oauth2/v3/tokeninfo] endpoint.
1/18/2022 11:21:54 PM GMT Endpoint returned status code [400]
1/18/2022 11:21:54 PM GMT The response was not successful, see the error event log.

But it fails with tokeninfo request:

Request to the [https://www.googleapis.com/oauth2/v3/tokeninfo] endpoint failed. Status code [400].

Error response is 
{
  "error_description" : "Either access_token, id_token, or token_handle required"
}

However, when I try to call this request manually with retrieved token it seems to be working:

$ curl "https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.........CWC"

{
  "azp": "968429353208-itkeurv2jjt9l4fsq8ii2mosgugs4gc2.apps.googleusercontent.com",
  "aud": "968429353208-itkeurv2jjt9l4fsq8ii2mosgugs4gc2.apps.googleusercontent.com",
  "scope": "https://www.googleapis.com/auth/cloud-platform.read-only",
  "exp": "1642549482",
  "expires_in": "3307",
  "access_type": "online"
}

and using POST it works as well:

curl -L  --data "access_token=ya29.........CWC" https://www.googleapis.com/oauth2/v3/tokeninfo

How can I find what does FA request to Google or what is wrong with my FA or GoogleCloud configuration?
I tried to find a similar case online, but no success. I hope you have seen this before

Many thanks.
Fela

joshua

@fela

I would recommend reviewing our API documentation regarding using this IdP via API

https://fusionauth.io/docs/v1/tech/apis/identity-providers/google/#complete-the-google-login

For example, if you built your own login page, you could add a "Login with Google" button and complete the Google authentication. When you complete the Google authentication you will have been returned a token or code from Google. Using this API you can pass that token or code to FusionAuth and we will complete the login workflow and reconcile the user to FusionAuth.

To confirm, are you passing the token from Google to FusionAuth, or are you getting stuck at a different place in a login workflow?

I have not integrated with this provider via API, but I understand that the Google token must be passed to FusionAuth to complete the login.

If this is FusionAuth completing the login (it looks like it might be)

1/18/2022 11:21:54 PM GMT Call the [https://www.googleapis.com/oauth2/v3/tokeninfo] endpoint.

Then the next thing to ensure is that you pass the token in a POST request. If you had a curl or code snippet showing this that might be helpful.

Thanks,
Josh

raomuneeb.khalil

Hi @joshua, hope you are doing well. I am calling the same API from my NestJS project and getting the somehow same error.

code: [ExternalAuthenticationException]GoogleTokenInfo
message: A request to the Google Token Info API has failed. Unable to complete this login request.

And from the Fusion Auth debug log,

Request to the [https://www.googleapis.com/oauth2/v3/tokeninfo] endpoint failed. Status code [400].

Error response is 
{
  "error_description" : "Invalid Value"
}

But if I curl the token received from the google, it shows me the correct response,

curl "https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=ya29.A0ARrdaM-mIQDJ645tNQv5ifTZ7QxfhTNK_gE4pYsukhoU_EVt7ejSjW6H22fYW5ICgx89IXXXXXXXXXXXXXXXXXXXWBhUUhclMJx2p3xcpekxKjs1B2"


{
  "azp": "939548483275-vnakrrcv6c7t2fmdcji8nbcom6dn52or.apps.googleusercontent.com",
  "aud": "939548483275-vnakrrcv6c7t2fmdcji8nbcom6dn52or.apps.googleusercontent.com",
  "sub": "116524708611814561365",
  "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid",
  "exp": "1646312085",
  "expires_in": "3425",
  "email": "xxxxxx@gmail.com",
  "email_verified": "true",
  "access_type": "online"
}

From NestJS I called that request as follows,

const response = await this.fusionClient.identityProviderLogin({
        applicationId: "XXXXXX",
        data: {
          token: req.user.accessToken,
        },
        identityProviderId: "82339786-3dff-42a6-aac6-1f1ceecb6c46",
      });

Could you please put some light on it?
Thanks.

raomuneeb.khalil

This post is deleted!

raomuneeb.khalil

@dan @joshua Could you guys please guide me in this regard? I have ensured that the token type is string and perform curl with POST method as well and the token is getting verified by google api but unfortunately not with fusion auth

curl --data '{"access_token":"ya29.A0ARrdaM8zef7x.....lVZKeAKG5fs-a94yDvDaCVuT"}' -H "Content-Type: application/json" -X POST https://www.googleapis.com/oauth2/v3/tokeninfo
{
  "azp": "939548483275-vnakrrcv6c7t2fmdcji8nbcom6dn52or.apps.googleusercontent.com",
  "aud": "939548483275-vnakrrcv6c7t2fmdcji8nbcom6dn52or.apps.googleusercontent.com",
  "sub": "116524708611814561365",
  "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid",
  "exp": "1646330995",
  "expires_in": "3268",
  "email": "xxxx@gmail.com",
  "email_verified": "true",
  "access_type": "online"
}

curl --data "access_token=ya29.A0ARrdaM8zef7xo6ucwQxbgJVQQSsvUjD......5fs-a94yDvDaCVuT" -X POST https://www.googleapis.com/oauth2/v3/tokeninfo
{
  "azp": "939548483275-vnakrrcv6c7t2fmdcji8nbcom6dn52or.apps.googleusercontent.com",
  "aud": "939548483275-vnakrrcv6c7t2fmdcji8nbcom6dn52or.apps.googleusercontent.com",
  "sub": "116524708611814561365",
  "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid",
  "exp": "1646330995",
  "expires_in": "3348",
  "email": "xxxxx@gmail.com",
  "email_verified": "true",
  "access_type": "online"
}

mg 0

Hello All,
Is there any solution or remarks on that issue? Looks like the issue is still active...
Please respond. Thanks.

mg 0

BTW I have successfully implemented Facebook social login using Complete Facebook Login api which is actually the same endpoint/api as of Complete google login but with a different identity provider value. It's quite a weird behavior that that api is working with facebook but not with google.

Could you guys please take a look over it? Or I am missing something in case of google login if it needs some configuration.