Google Drive OAuth 2 flow giving invalid_scope error

22,338

Solution 1

I experienced a similar problem. The solution was to pass an array of scopes to the google client:

google_client.authorization.scope=[
'https://www.googleapis.com/auth/calendar.readonly',
'https://www.googleapis.com/auth/drive.appdata']

rather than a concatenated string of scopes

google_client.authorization.scope="https://www.googleapis.com/auth/calendar.readonly%2Bhttps://www.googleapis.com/auth/drive.appdata"

The GET request in the Rails log looked identical, but the result was very different!

Solution 2

The new google api (at the moment of this answer is posted) requires scope attribute to be one string and scopes separated with white space. So like this

var SCOPES = "https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/gmail.send";

gapi.auth2.init({
     client_id:CLIENT_ID,
     scope: SCOPES
}).then (...)

22,338

Author by

Ben Dilts

Updated on July 16, 2021

Comments

Ben Dilts almost 3 years
My Google Drive app requests the following scopes when exchanging a code for an access token:
```
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
https://www.googleapis.com/auth/drive.install
```
In particular, this is the query string of the URL that is eventually being requested from Google during the exchange:

code=XXXXXXXXXX&grant_type=authorization_code&redirect_uri=XXXXXXXXXXX& scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file+ https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email +https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile +https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.install &client_id=XXXXXX.apps.googleusercontent.com&client_secret=XXXXXX

The response is a 400 error, with the error message "invalid_scope". What am I doing wrong?

[Edit] Additional information:

The error only happens when the user clicks through from Google Drive to create a new document. If I initiate the authentication/authorization flow from my own app, the list of scopes is accepted just fine. If the user clicks through the actual Drive app to create a new document, I get invalid_scopes.

The invalid scope is drive.install. If I remove that from the list of requested scopes when the user shows up to create a new document, things start working again. Does that make any sense at all? If the user has the Drive app installed already via us requesting that scope, why would requesting that same scope when the user shows up from the Drive app cause a problem of any kind?