I'm trying to migrate existing OAuth1.0 3L tokens to OAuth2.0 for a web app. I am following the instructions at https://developers.google.com/accounts/docs/OAuth_ref Despite all my best efforts, I keep getting this response: "Invalid authorization header."
To create the Authorization header, I use Google's Java client library 1.0, the same I use in the application to talk to google calendar. I am testing with an access token. token secret, consumer key and consumer secret that work without problem (i.e. I can use these credentials to make calls to Google Calendar, etc).
This is the code I use:
OAuthParameters oauthParameters = new OAuthParameters();
oauthParameters.setOAuthConsumerKey("www.mywebsite.com"); // this is the same consumer key used by my app normally, without problem. mywebsite is an example, the real name is different
oauthParameters.setOAuthConsumerSecret("XXXXX");
oauthParameters.setOAuthToken("YYYYY");
oauthParameters.setOAuthTokenSecret("ZZZZZZ");
OAuthHmacSha1Signer signer = new OAuthHmacSha1Signer();
OAuthHelper oauthHelper = new GoogleOAuthHelper(signer);
String requestUrl = "https://accounts.google.com/o/oauth2/token";
String header = oauthHelper.getAuthorizationHeader(requestUrl, "POST", oauthParameters);
String payload = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Amigration%3Aoauth1&client_id="+clientId+"&client_secret="+clientSecret;
HttpClient httpClient = new DefaultHttpClient();
HttpPost httpPost = new HttpPost(requestUrl);
httpPost.addHeader("Authorization", header);
httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
httpPost.setEntity(new ByteArrayEntity(payload.getBytes()));
String response = httpClient.execute(httpPost, new BasicResponseHandler());
and this is the wire trace produced by HttpClient:
>> "POST /o/oauth2/token HTTP/1.1[\r][\n]"
>> "Authorization: OAuth realm="", oauth_signature="ixVbjINI6pgPU2RqXGiQRbPGY%3D", oauth_nonce="486642280771700", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="www.mywebsite.com", oauth_token="YYYYY", oauth_timestamp="1395127834"[\r][\n]"
>> "Content-Type: application/x-www-form-urlencoded[\r][\n]"
>> "Content-Length: 193[\r][\n]"
>> "Host: accounts.google.com[\r][\n]"
>> "Connection: Keep-Alive[\r][\n]"
>> "User-Agent: Apache-HttpClient/4.3.2 (java 1.5)[\r][\n]"
>> "[\r][\n]"
>> "grant_type=urn%ietf%params%oauth%grant-type%migration%oauth1&client_id=12345&client_secret=ABCDE"
<< "HTTP/1.1 400 Bad Request[\r][\n]"
<< "Cache-Control: no-cache, no-store, max-age=0, must-revalidate[\r][\n]"
<< "Pragma: no-cache[\r][\n]"
<< "Expires: Fri, 01 Jan 1990 00:00:00 GMT[\r][\n]"
<< "Date: Tue, 18 Mar 2014 07:30:39 GMT[\r][\n]"
<< "Content-Type: application/json[\r][\n]"
<< "X-Content-Type-Options: nosniff[\r][\n]"
<< "X-Frame-Options: SAMEORIGIN[\r][\n]"
<< "X-XSS-Protection: 1; mode=block[\r][\n]"
<< "Server: GSE[\r][\n]"
<< "Alternate-Protocol: 443:quic[\r][\n]"
<< "Transfer-Encoding: chunked[\r][\n]"
<< "[\r][\n]"
<< "5a[\r][\n]"
<< "{[\n]"
<< " "error" : "invalid_request",[\n]"
<< " "error_description" : "Invalid authorization header."[\n]"
<< "}"
<< "[\r][\n]"
<< "0[\r][\n]"
<< "[\r][\n]"
where 12345 and ABCDE are obviously placeholders for the real OAuth2 app credentials.
I have double and triple checked that all the parameters set in OAuthParameters are the same used by the normal code that is currently working using OAuth1 (even using a step-by-step debugger to verify the values at the time the signature is calculated by OAuthHmacSha1Signer.getSignature()).
I looked at the Authorization header in HTTP requests sent by the current Google Client APIs that use OAuth1 (and that work fine), and apart obviously from signature, nonce and timestamp they look identical to the one sent by this migration call.
I even tried a test migration request , which failed, then used a debugger to run the old code and inject method, URL, nonce and timestamp used by the migration call, and the signature calculated by the old code was identical, given identical params.
Any clues of why the Authorization header is still reported as invalid?
After following up with SimonM, it turns out that the issue was related to the base string used to sign the migration request.
When constructing a base string to sign your migration requests, make sure that the string uses a POST method (rather than GET as it is the case when accessing many Google APIs) and that it contains all relevant migration parameters as per the migration documentation.
As per OAuth1 spec, a valid base string for a migration request should look like:
POST&https://accounts.google.com/o/oauth2/token&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=urn:ietf:params:oauth:grant-type:migration:oauth1&oauth_consumer_key=YOUR_CONSUMER_KEY&oauth_nonce=NONCE&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1396414006&oauth_token=THE_TOKEN_TO_MIGRATE
Note that, for readability purpose, the above is the decoded version of the base string (check out the OAuth1 spec for more examples).