I have a project in Google cloud and an oauth2 client (web application) created for the same. As mentioned in the Google docs for using oAuth2 I first sent a HTTP GET to get the authorization code.
https://accounts.google.com/o/oauth2/v2/auth?scope=<my_scope>&access_type=offline&include_granted_scopes=true&response_type=code&state=state_parameter_passthrough_value&redirect_uri=https%3A//localhost%3A7082/signin-google&flowName=GeneralOAuthFlow&client_id=<my_client_id>
This step seems to work fine as I am getting the authorization code for the same scope I requested.
The next step where I send the authorization code to get the access token
POST https://oauth2.googleapis.com/token
code:<code_retrieved_from_previous_step>
client_id:<my_client_id>
client_secret:<my_client_secret>
redirect_uri:https%3A//localhost%3A7082/signin-google
grant_type:authorization_code
always fails with the error:
{
"error": "invalid_request",
"error_description": "\nYou can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.\n\nYou can let the app developer know that this app doesn't comply with one or more Google validation rules.\n "
}
Few things to note:
client_id and client_secret but the error remains./token step with JSON payload as well as url_encoded format but result is sameI don't understand which policy is being violated here. Is there a way to understand the root cause here?
It looks like you are URL-encoding the redirect URL in the POST request when you shouldn't.
While it's true that the POST data can use the application/x-www-form-urlencoded content type, the URL-encoding there is usually happening by the library you use for sending the request. If you also encode it, it would cause issues, resulting in the URL being broken and not matching what's configured on Google's side.