search

cloudentity / oauth2c

User-friendly OAuth2 CLI
https://cloudentity.github.io/oauth2c/
Apache License 2.0
768 stars 29 forks source link

HTTP 400: Could not determine client ID from request when authorizing from Google #94

Closed jedesroches closed 10 months ago

jedesroches commented 10 months ago

Hello,

Thank you for your work on oauth2c ! I am trying to generate tokens in order to use IMAP with gmail. I followed this procedure to generate a client ID and client secret, setting up a Desktop application; and following this document, requested the "https://mail.google.com" scope with the following command:

 oauth2c "https://accounts.google.com/" \
               --client-id $(jq -r .[].client_id gc) \
               --client-secret $(jq -r .[].client_secret gc) \
               --response-types code \
               --response-mode query \
               --grant-type authorization_code \
               --auth-method client_basic \
               --scopes "https://mail.google.com"

which fails with the following output:

┌───────────────────────────────────────────────────────────────────────────────────────────┐
| Issuer URL     | https://accounts.google.com/                                             |
| Grant type     | authorization_code                                                       |
| Auth method    | client_basic                                                             |
| Scopes         | https://mail.google.com                                                  |
| Response types | code                                                                     |
| Response mode  | query                                                                    |
| PKCE           | false                                                                    |
| Client ID      | <redacted>                                                               |
| Client secret  | <redacted>                                                               |
└───────────────────────────────────────────────────────────────────────────────────────────┘

Authorization Code Flow                                                                                    

# Request authorization

GET https://accounts.google.com/o/oauth2/v2/auth
Query params:
  scope: https://mail.google.com
  state: QyUPE2AKvdFqqMykQeuJYF
  client_id: 745633595393-nfnn82tgaj47o7tk9s56munqs4nv794j.apps.googleusercontent.com
  nonce: QNqeFwokTBd9niFBFYmfYr
  redirect_uri: http://localhost:9876/callback
  response_mode: query
  response_type: code

Open the following URL:

https://accounts.google.com/o/oauth2/v2/auth?client_id=<redacted>&nonce=<redacted>&redirect_uri=http%3A%2F%2Flocalhost%3A9876%2Fcallback&response_mode=query&response_type=code&scope=https%3A%2F%2Fmail.google.com&state=<redacted>
Opening in existing browser session.

GET /callback                                                                                                                                                                                  
Query params:                                                                                                                                                                                  
  state: <redacted>                                                                                                                                                                
  code: <redacted>                                                                                                              
  scope: https://mail.google.com/                                                                                                                                                              

 SUCCESS  Obtained authorization code                                                                                                                                                          

# Exchange authorization code for token

POST https://oauth2.googleapis.com/token                                                                                                                                                       
Headers:
     Content-Type: application/x-www-form-urlencoded                                                                                                                                              
Form post:                                                                                                                                                                                     
  code: <redacted>                                                                                                              
  grant_type: authorization_code                                                                                                                                                               
  redirect_uri: http://localhost:9876/callback                                                                                                                                                 
Response:                                                                                                                                                                                      
{                                                                                                                                                                                              
  "error": "invalid_request",
  "error_description": "Could not determine client ID from request."
}

  ERROR   400: invalid_request

I have also tried using Mozilla Thunderbird's clientID and client secret (which can be found here) with the same result. Is this a bug ? I see that the clientID is not sent again in the second POST request, maybe it should be ? I am sadly rather unfamiliar with the whole oauth2 flow thing.

Thank you for any tips or pointers on how to get this to work!

mbilski commented 10 months ago

Hello @jedesroches

try using client_secret_basic or client_secret_post as --auth-method instead of client_basic.

If this is the case, I'll add some validation to the auth_method. It looks like it's missing and might cause issues.

Best, Mateusz

jedesroches commented 10 months ago

Hello @mbilski,

Thank you for your answer. Using client_secret_basic as an --auth-method succeeded (as in I got a token, a refresh token and an expiry time), but printed (along with the successful output) the following error to stdout which might be of interest for you :

  ERROR   go-jose/go-jose: compact JWS format must have three parts
jedesroches commented 10 months ago

Thank you for your help - this ticket can probably be closed. However, if it were at all possible in the examples part of the documentation to maybe add some concrete examples for the layman ? Currently, it is very easy to know how to do a specific OAUTH2 action from the examples, but very hard to understand or know which one to do when ^^" (i.e. I found neither in the google documentation nor in oauth2c's documentation why the above change you suggested made things work).