100% InvalidGrant after Android package migration from GoogleSignInClient to AuthorizationClient at token exchange step

[phoebe-otterai]

Hi, my team has been using google_auth_oauthlib's flow module for executing the OAuth 2.0 flow. This issue is regarding the authorization phase.

Previously, our Android team was using GoogleSignInClient to acquire an authorization code and passing it to our python server for the exchange and storage of access/refresh tokens. Our server code looks like this:

from google_auth_oauthlib.flow import Flow
...
flow = Flow.from_client_config(
    GOOGLE_OAUTH2_CLIENT_SECRETS_DATA,
    scopes=list(GoogleAccountScopeEnum.api_url_to_enum_name_map().keys()),
    redirect_uri=redirect_uri,
)
flow.fetch_token(code=server_auth_token) # token from Android client
credential = flow.credentials
...

However, after Android migrated to Google Identity Service's AuthorizationClient, we are now failing 100% at the token exchange step (flow.fetch_token) with an InvalidGrant error.

We can't seem to figure out why this is occurring and it is blocking our migration. Current thoughts:

• Previously, GoogleSignInClient would only provide an auth code, but AuthorizationClient now provides both an auth code and an access token. It seems like before, it was following the Authorization Code Grant type, whereas now it is following the Implicit Grant type, since the access token is given immediately by the authorization server (Google).
• I don’t see any mention of special handling of this implicit grant type in the google_auth_oauthlib docs. I saw that flow.fetch_token calls the requests_oauthlib fetch_token function under the hood, which has a comment about using token_from_fragment if we are using the MobileApplicationClient/Implicit Grant type.
• Thing is, it seems like the suggested method for Implicit Grants token_from_fragment in requests_oauthlib is supposed to be called from the mobile/Android client itself, since it takes in the whole response url.

Where are we going wrong here? Is google_auth_oauthlib lacking support for Android's AuthorizationClient? Does Android now need to complete the OAuth flow by performing the token exchange themselves with requests_oauthlib (I don't think passing the refresh token to us is good security practice)? Does our python server need to call google_auth_oauthlib in a different way?

Additional details

This is how Android is configuring their request:

val authorizationRequest = AuthorizationRequest.builder()
    .requestOfflineAccess(serverClientId, true)
    .setRequestedScopes(requestedScopes.map { it.scope })
    .build()

Environment details

• OS type and version: 3.8.10
• Python version: python --version
• pip version: 24.1
• google-auth-oauthlib version: 0.4.6

[sai-sunder-s]

I will start by saying that this library is geared towards working with just google-auth-library-python which is primarily used for Google Cloud. It is used by folks for non-cloud purposes as well and works mostly because the library is a bit generic. Implicit flow is not supported by this library.

I am not familiar with AuthorizationClient but it seems strange that it will support only implicit flow. Have you checked what is the request and response to the auth endpoint when using AuthorizationClient?