General

Google's OAuth Pain: Token invalid - AuthSub token has wrong scope

Geoff McQueen

Geoff McQueen

2 min read

While I'd been meaning to play with Google's applications - and integrating them with our own Affinity - for some time, the launch of the Marketplace pushed this experimentation up the priority list.

After spending a fair bit of time hacking on a Sunday, I'd managed to re-purpose our OAuth platform to play nicely with Google, including their need to have the scope variable passed as a part of the token request process.

Regardless, I'd gotten really really really frustrated with a persistent error. While it is now really obvious, I missed it and it cost me a few hours and a lot of frustration, so hopefully this blog will help someone else trying to solve this into the future.

After correctly getting my token and secret for a specific user - and asking for quite a few scope options - I was still getting the error Token invalid - AuthSub token has wrong scope when I was trying to access a document list via OAuth.

While this error talks about AuthSub, I've now discovered it is really a generic error message, and applies to any case where the scope of access doesn't match what you're asking for, whether it is OAuth or AuthSub. This confusing error message had me off the scent for a while as I started to wonder whether OAuth was supported as widely as I had expected, whether there was a difference between paid and free accounts, and so on...

The problem in my case is that I'd requested a scope to http://docs.google.com/feeds/, but using the example code at Google's Documents Developer Guide I was then going on to interrogate https://docs.google.com/feeds/.

To emphasise, GOOGLE THINKS THAT HTTP IS COMPLETELY DIFFERENT TO HTTPS IN ITS NON-STANDARD 'SCOPE' TRACKING EXTENSION TO OAUTH.

To make matters worse, even when you explicitly ask for https based feed scopes, Google doesn't even show them to the user. Seems like in some cases, Google thinks the http vs https distinction doesn't matter, but when it does care about it, it doesn't give you an error message that's any use at all.

Unfortunately, Google's own access summary interface doesn't clarify which versions of the domains are http, and which one's are https.

So, in summary, if you're getting a "Token Invalid - AuthSub token has wrong scope" error when you're trying to use OAuth (or even AuthSub for that matter?), make sure the scope you're requesting is using the same protocol as you're using - http vs https makes a very big difference.

Read more