Closed InternalServerError closed 5 years ago
Hey @InternalServerError!
Hmm.
After debugging the GuardAuthenticator, everything's fine until retrieving user (it retrieves !) but when I return the user, I fall in onAuthenticationFailure with "invalid_grant" error.
That part sounds weird to me. If you successfully return a User
object from getUser()
, authentication is complete and successful - there is actually no way to fail authentication once you have successfully return a User object from this method. I believe the failure is happening earlier - likely when you are calling return $this->fetchAccessToken($this->getGoogleClient());
(even though you said this works)... but I'm honestly not 100% sure.
Also, here is a description of this error I found, that might help:
invalid_grant The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
Sorry I can't help more!
Hello @weaverryan ! Thank you for your answer. Indeed it's a bit wird ! And I do not have more informations about this issue. The behavior seems to be when the getAccessToken method is called.
That makes sense - when you call getAccessToken(), that is when the authorization code is exchanged for the access token. If anything is wrong - redirect url doesn’t match, or you’ve somehow already asked for the access token (so the auth code is now “used”) - it sounds like you’ll get this error.
Sorry I can’t help more - good luck!
For those who are stuck into the same issue, look at this StackOverflow post: https://stackoverflow.com/questions/10576386/invalid-grant-trying-to-get-oauth-token-from-google
This issue probably appears because you left the "access_type" parameter blank in your knpu_oauth2_client.yaml file. You need to set it to "offline" to be able to refresh tokens for your server-side application, as explained in Google documentation:
Requesting offline access is a requirement for any application that needs to access a Google API when the user is not present. For example, an app that performs backup services or executes actions at predetermined times needs to be able to refresh its access token when the user is not present. The default style of access is called online.
Server-side web applications, installed applications, and devices all obtain refresh tokens during the authorization process. Refresh tokens are not typically used in client-side (JavaScript) web applications.
cf. https://developers.google.com/identity/protocols/OAuth2WebServer#offline
For me the solution was to not call the method getAccessToken twice. I was doing
$user = $client->fetchUser();
$accessToken = $client->getAccessToken();
fetchUser method is already calling getAccessToken, for some reason that I don't really understand the second call always fail with the "invalid grant" exception.
I solved the problem getting the user from the token.
$accessToken = $client->getAccessToken();
$user = $client->fetchUserFromToken($accessToken);
Hello !
Thanks again for your work.
I'm almost ready to deploy the google SSO through this bundle :)
But "almost" means I still have a trouble. Indeed when I choose my email acount to log with, I have systematically a "invalid_grant" error. After debugging the GuardAuthenticator, everything's fine until retrieving user (it retrieves !) but when I return the user, I fall in onAuthenticationFailure with "invalid _grant" error.
I'm working with Symfony 4.1 and Doctrine ODM :
Here my code :
knpu_oauth2_client.yaml :
security.yaml :
GoogleAuthenticator :
GoogleController.php :
Someone could help me to solve this please ?
Thanks !