MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Anonymous

[Swapygit]

Hi Team,

I am trying to link to google adwords account using Oauth2 in C# .net . However, I am getting the following error,

MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'OAuth realm="https://accounts.google.com/OAuthGetRequestToken"'. [Returned while handling POST Request]

I had a communication regarding this with the google adwords support team. They had following reply for this

It looks like the issue is specific to the client library that you're using. Could you please post your concern on the Github issue tracker so the library owners can assist you on this

Kindly suggest what can I do to resolve the exception

Please find the below details regarding the issue which will help you to find the root cause.

We are not using WCF service.We are not using Google Ads Api. We are using Google Adwords API v201809.

Please find below the steps we are following.

We are using ASP.NET MVC Web API. We have a mobile app where user clicks on Connect to google adwords. When the user clicks the button he is redirected to google sign in page and after sign in it is re directed to the back end MVC web API along with the server token. We use this server token and fetch the customer using the service.getCustomers() method of the Google AdWordsService.v201809.CustomerService.

Please find the below code we have used

Customer c = new Customer();

           Selector selector = new Selector()
           {
               fields = new string[] { Convert.ToString(c.customerId), c.descriptiveName }
           };

           CustomerService service =
           (CustomerService)user.GetService(AdWordsService.v201809.CustomerService);

           Customer[] cst = service.getCustomers();

And according to our error logs we are getting the error on the line

Customer[] cst = service.getCustomers();

Also, this error does not occur for all the users. Suppose, out of 100 we are get this error 1 or 2 customer. If the error was due to code, then it should have occurred for all the users. But that's not the case. Looking forward for your response.

Thanks. Swapnil

[AnashOommen]

We use WCF for the SOAP API, so that's a good point to start suspecting it as the source of problem. Chris, could you pls investigate this further? We may have to ask the .NET Core team if we get stuck.

This is one thread that I found in the context, though that's about Negotiate v/s Anonymous or NTLM v/s Anonymous. https://stackoverflow.com/questions/15570108/the-http-request-is-unauthorized-with-client-authentication-scheme-negotiate. All the threads I have seen suggest that IIS configuration might be a factor.

[AnashOommen]

@Swapygit are you using a proxy to connect to the AdWords API servers?

[Swapygit]

Hi @AnashOommen ,

We are not using proxy servers for connecting google adwords api.

Thanks

[Swapygit]

Hi @AnashOommen @christopherseeley

Any update on this.

Thanks

[christopherseeley]

Digging a bit into WCF it looks like this is thrown when you get a 401 response.

So the question is when is this 401 happening and why. Can you share some more details about your OAuth2 process? Are you using another library for the mobile application auth flow? What is the 'server token' in the context of the OAuth2 steps outlined here: https://developers.google.com/identity/protocols/OAuth2InstalledApp

[Swapygit]

Hi Chris,

Thanks for your reply here.

We are using web app flow.

Let me describe my current flow

User click connect adwords button in our app (App is build on ionic cardova.) User is redirected to google login for authentication (We are using https://github.com/EddyVerbruggen/cordova-plugin-googleplus plugin to handle this )

library version of googleplus plugin is

cordova.system.library.4=com.google.android.gms:play-services-auth:+ cordova.system.library.5=com.google.android.gms:play-services-identity:+

After successful login this plugin return following response obj.email // 'eddyverbruggen@gmail.com'

obj.userId // user id

obj.givenName // 'Eddy'

obj.imageUrl // 'http://link-to-my-profilepic.google.com'

obj.idToken // idToken that can be exchanged to verify user identity.

obj.serverAuthCode // Auth code that can be exchanged for an access token and refresh token for offline access

obj.accessToken // OAuth2 access token

Using obj.serverAuthCode we start account linking process. To start account linking we are we are using serverAuthCode to generate access token and refresh token for offline access For this we are using FetchAccessAndRefreshTokens(apireq.servertoken) method from google adwords api v201809 (.net library)

Now for all users its working properly , but for some we are getting error in

Google.Api.Ads.AdWords.v201809.CustomerService.getCustomers() method.

[christopherseeley]

Thanks for all the context! The method there will attempt to refresh the access token if it's expired, so it may still be a problem at the OAuth level - do your logs show what URL caused this error? Do you have a stack trace?

[Swapygit]

Hi @christopherseeley

Apology for the delayed response on this thread. We recently got this error. Below is the stack trace and URL which caused this error.

Message: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'OAuth realm="https://accounts.google.com/OAuthGetRequestToken"'.

let me know if you need more information.

[Swapygit]

Hi @christopherseeley

Can I get any updates on this please

[nwbirnie]

Hey folks, could someone take a look at this case please?

[christopherseeley]

I took another look and I still suspect (per https://github.com/googleads/googleads-dotnet-lib/issues/216#issuecomment-503712290) that this is a general OAuth 401 that is bubbling up in an unusual way.

@Swapygit is this happening for new users, or existing ones? How do you handle OAuth refresh token invalidations? If this is a 401 from OAuth it could be that the user revoked access and you need to re-auth.

[Swapygit]

Hi @christopherseeley ,

We are facing this issue intermittently for some users who try to link under our mcc using the mobile app.

Could you elaborate on this. I didn't get your point here. How do you handle OAuth refresh token invalidations? If this is a 401 from OAuth it could be that the user revoked access and you need to re-auth.

[christopherseeley]

Since you're using the Web flow, the refresh token may stop working for a number of reasons: https://developers.google.com/identity/protocols/oauth2#expiration

If this happens you need to have the user go through the original auth flow again to grant access and store a new refresh token.

To test this, you could sign in to your app with a test account, then revoke access for your app here: https://myaccount.google.com/permissions

[Swapygit]

Hi @christopherseeley

Thanks for the revert here. We will ask our QA/Testing team to do the same and will revert if any further help is required.

[Swapygit]

Hi @christopherseeley ,

Yes, we are using web flow, but we are using the asp.net web api 2 in the back end and in front end we have a mobile where the user is given the consent screen to allow permissions to the app.

After the user allows the permission the front end hits the back end web api with the server auth code

After that we fetch the access token for the google apis

And then we are getting the error at below line

Customer[] cst = service.getCustomers();

So I don't think so, the reasons mentioned in the link

https://developers.google.com/identity/protocols/oauth2#expiration would affect it in any way.

Could you please look into this and revert me.

Many Thanks

[Swapygit]

Hi @christopherseeley

Any update on this

[mwilc0x]

Hi,

To help us debug, could you share a small working demo that reproduces the error?

Thanks