I'm trying to migrate existing OAuth1.0 3L tokens to OAuth2.0 for a web app.
I am following the instructions at https://developers.google.com/accounts/docs/OAuth_ref
Despite all my best efforts, I keep getting this response:
"Invalid authorization header."
To create the Authorization header, I use Google's Java client library 1.0, the same I use in the application to talk to google calendar.
I am testing with an access token. token secret, consumer key and consumer secret that work without problem (i.e. I can use these credentials to make calls to Google Calendar, etc).
This is the code I use:
OAuthParameters oauthParameters = new OAuthParameters();
oauthParameters.setOAuthConsumerKey("www.mywebsite.com"); // this is the same consumer key used by my app normally, without problem. mywebsite is an example, the real name is different
oauthParameters.setOAuthConsumerSecret("XXXXX");
oauthParameters.setOAuthToken("YYYYY");
oauthParameters.setOAuthTokenSecret("ZZZZZZ");
OAuthHmacSha1Signer signer = new OAuthHmacSha1Signer();
OAuthHelper oauthHelper = new GoogleOAuthHelper(signer);
String requestUrl = "https://accounts.google.com/o/oauth2/token";
String header = oauthHelper.getAuthorizationHeader(requestUrl, "POST", oauthParameters);
String payload = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Amigration%3Aoauth1&client_id="+clientId+"&client_secret="+clientSecret;
HttpClient httpClient = new DefaultHttpClient();
HttpPost httpPost = new HttpPost(requestUrl);
httpPost.addHeader("Authorization", header);
httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
httpPost.setEntity(new ByteArrayEntity(payload.getBytes()));
String response = httpClient.execute(httpPost, new BasicResponseHandler());
and this is the wire trace produced by HttpClient:
>> "POST /o/oauth2/token HTTP/1.1[
][
]"
>> "Authorization: OAuth realm="", oauth_signature="ixVbjINI6pgPU2RqXGiQRbPGY%3D", oauth_nonce="486642280771700", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="www.mywebsite.com", oauth_token="YYYYY", oauth_timestamp="1395127834"[
][
]"
>> "Content-Type: application/x-www-form-urlencoded[
][
]"
>> "Content-Length: 193[
][
]"
>> "Host: accounts.google.com[
][
]"
>> "Connection: Keep-Alive[
][
]"
>> "User-Agent: Apache-HttpClient/4.3.2 (java 1.5)[
][
]"
>> "[
][
]"
>> "grant_type=urn%ietf%params%oauth%grant-type%migration%oauth1&client_id=12345&client_secret=ABCDE"
<< "HTTP/1.1 400 Bad Request[
][
]"
<< "Cache-Control: no-cache, no-store, max-age=0, must-revalidate[
][
]"
<< "Pragma: no-cache[
][
]"
<< "Expires: Fri, 01 Jan 1990 00:00:00 GMT[
][
]"
<< "Date: Tue, 18 Mar 2014 07:30:39 GMT[
][
]"
<< "Content-Type: application/json[
][
]"
<< "X-Content-Type-Options: nosniff[
][
]"
<< "X-Frame-Options: SAMEORIGIN[
][
]"
<< "X-XSS-Protection: 1; mode=block[
][
]"
<< "Server: GSE[
][
]"
<< "Alternate-Protocol: 443:quic[
][
]"
<< "Transfer-Encoding: chunked[
][
]"
<< "[
][
]"
<< "5a[
][
]"
<< "{[
]"
<< " "error" : "invalid_request",[
]"
<< " "error_description" : "Invalid authorization header."[
]"
<< "}"
<< "[
][
]"
<< "0[
][
]"
<< "[
][
]"
where 12345 and ABCDE are obviously placeholders for the real OAuth2 app credentials.
I have double and triple checked that all the parameters set in OAuthParameters are the same used by the normal code that is currently working using OAuth1 (even using a step-by-step debugger to verify the values at the time the signature is calculated by OAuthHmacSha1Signer.getSignature()).
I looked at the Authorization header in HTTP requests sent by the current Google Client APIs that use OAuth1 (and that work fine), and apart obviously from signature, nonce and timestamp they look identical to the one sent by this migration call.
I even tried a test migration request , which failed, then used a debugger to run the old code and inject method, URL, nonce and timestamp used by the migration call, and the signature calculated by the old code was identical, given identical params.
Any clues of why the Authorization header is still reported as invalid?
See Question&Answers more detail:
os 
