Search code examples
aws-lambdaoauthgoogle-oauthaws-api-gateway

Lambda endpoint for the Google OAuth callback does not recieve the access_token

My server which is invoked when a user finishes the OAuth consent flow does not contain the full url that the callback is invoked with. Everything after the # is removed

Callback full url seen in the browser:

https://<domain>/google-drive/callback
  #access_token=<token>
  &token_type=Bearer&expires_in=3599
  &scope=https://www.googleapis.com/auth/drive.file%20https://www.googleapis.com/auth/drive.install

APIGateway event received by server

 {
  version: '2.0',
  routeKey: 'GET /google-drive/callback',
  rawPath: '/google-drive/callback',
  rawQueryString: '',
  headers: {
    accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'accept-encoding': 'gzip, deflate, br',
    'accept-language': 'en-US,en;q=0.5',
    'content-length': '0',
    host: 'kjndf98n49v.execute-api.us-east-1.amazonaws.com',
    'sec-fetch-dest': 'document',
    'sec-fetch-mode': 'navigate',
    'sec-fetch-site': 'none',
    'sec-fetch-user': '?1',
    'upgrade-insecure-requests': '1',
    'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0',
    'x-amzn-trace-id': 'Root=1-6609a719-148a9dd90fa586d725643c88',
    'x-forwarded-for': '68.23.54.13',
    'x-forwarded-port': '443',
    'x-forwarded-proto': 'https'
  },
  queryStringParameters: {},
  requestContext: {
    accountId: '87438545',
    apiId: 'kjndf98n49v',
    domainName: 'kjndf98n49v.execute-api.us-east-1.amazonaws.com',
    domainPrefix: 'kjndf98n49v',
    http: {
      method: 'GET',
      path: '/google-drive/callback',
      protocol: 'HTTP/1.1',
      sourceIp: '65.30.11.25',
      userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0'
    },
    requestId: 'lkljSDLVK=',
    routeKey: 'GET /google-drive/callback',
    stage: '$default',
    time: '31/Mar/2024:18:10:33 +0000',
    timeEpoch: 1711908633334
  },
  isBase64Encoded: false
}

OAuth Start Url:

https://accounts.google.com/o/oauth2/v2/auth
  ?client_id=<client-id>
  &redirect_uri=https://kjndf98n49v.execute-api.us-east-1.amazonaws.com/google-drive/callback
  &response_type=access_token
  &scope=https://www.googleapis.com/auth/drive.file https://www.googleapis.com/auth/drive.install
Solution

  • The callback url that's being received contains a # fragment. These are not sent to the server

    The reason google is containing the fragment in the URL is because the OAuth Start URL's response_type is set to access_token

    If you change the value to code Google will format the callback to use queryString parameters and the ApiGatewayProxyEvent will contain the access token.

    response_type=code is meant for server integrations while response_type=access_token is meant for web applications

    The OAuth spec also has documentation on the values you can set in an OAuth Authorization flow request