Search code examples
phpoauthgoogle-oauthgoogle-plus-signin

Google Plus OAuth PHP 401 (Unauthorized)

I am trying to setup authentication with google plus using their tutorial. I followed the directions verbatim, changing the client id and the client secret in signin.php. For the record, the google plus API is enabled in the google developer console. I update file permissions as instructed as well (chmod +x signin.php and chmod -R 555 vendor/). However, upon loading my authentication URL (which happens to be at the auth_test/ sub directory of my domain, and clicking the sign in button, the console throws a 401 (unauthorized) for the get request sent /activites. I have researched the problem and see that this can be caused by an invalid token, but I dont see how that can be because everything has been setup in singin.php. Much help would be appreciated...

Solution

  • You need to reset the state of your app if disconnected to refresh the $tocken.

    Google API office Docs on Handling API Errors

    401: Invalid Credentials

    Invalid authorization header. The access token you're using is either expired or invalid.

    {   "error": {
>     "errors": [
>       {
>         "domain": "global",
>         "reason": "authError",
>         "message": "Invalid Credentials",
>         "locationType": "header",
>         "location": "Authorization",
>       }
>     ],
>     "code": 401,
>     "message": "Invalid Credentials"   } }

    Suggested action: Refresh the access token using the long-lived refresh token. If this fails, direct the user through the OAuth flow, as described in Authorizing Your App

    Also its is clearly commented in singin.php at line no. 98 :

        // Normally the state would be a one-time use token, however in our
    // simple case, we want a user to be able to connect and disconnect
    // without reloading the page.  Thus, for demonstration, we don't
    // implement this best practice.
    //$app['session']->set('state', '');

    Thus in your case it appears that your app is disconnected and thus causing the $token to become empty. Hence forcing this code block at line no: 91

    if (empty($token)) {
        // Ensure that this is no request forgery going on, and that the user
        // sending us this connect request is the user that was supposed to.
        if ($request->get('state') != ($app['session']->get('state'))) {
            return new Response('Invalid state parameter', 401);
        }