Search code examples
google-apiactions-on-googlegoogle-oauthgoogle-home

Error 400: invalid_scope Some requested scopes cannot be shown: [https://www.googleapis.com/auth/homegraph]

So I'm trying to use the Home Graph API by calling the API endpoint 

https://homegraph.googleapis.com/v1/devices:requestSync

It is a HTTP POST request and it needs an ACCESS_TOKEN and service account key.

Getting the service account key is easily done as per Google's documentation. The issue is getting the ACCESS_TOKEN.

As per this documentation by Google, I need to get ACCESS_TOKEN created using the following scope of permissions

https://www.googleapis.com/auth/homegraph

I opened OAuth 2.0 Playground to request a developer temporary ACCESS_TOKEN for testing. I wrote all the necessary urls and in scope I wrote this- scope is written to be authorized

Now after this, I am navigated to my Authorization URL (ie, Google's sign in page). I login with email id and password.

If credentials are correct and scope mentioned is valid then I should have been redirected to OAuth playground page with authorization code which I would have exchanged for access token and refresh token.

But, what actually happens is after I enter my credentials, I get following error and I am never redirected to Oauth Playground page-

Authorization Error

Error 400: invalid_scope

Some requested scopes cannot be shown: [https://www.googleapis.com/auth/homegraph]

Request Details

access_type=offline

o2v=2 response_type=code

redirect_uri=https://developers.google.com/oauthplayground

prompt=consent client_id=xxxxxxxxx.apps.googleusercontent.com

scope=https://www.googleapis.com/auth/homegraph**

I searched a lot online too, but couldn't find the actual reason. So due to this issue with scope, I am not able to get ACCESS_TOKEN.

I have followed Google's documentation and the scope was mentioned there.

This is the pic from oauth 2.0 playground settings- OAuth 2.0 configuration

Solution

  • The issue is that you, a user, should not be getting and sending an access token. The service account should be getting and sending an access token. This is to make sure your service is authorized to talk to the Home Graph API.

    You indicated you logged into the OAuth playground with "userid and password". But service accounts don't have passwords.

    If you are using one of Google's libraries, it will take care of getting the access token for you, and this is the easiest way to do so. If you are just testing and need an access token, you can use something like oauth2l to get the access token based on the service account credentials.