Google's oauth endpoint is returning a 'Bad Request'… but why?

问题

After a lot of time wasted googling for the possible reasons for a 'Bad Request' when requesting for a token at https://accounts.google.com/o/oauth2/token, I decided to ask why this code can't obtain nothing but a 'bad request' response from the server...

String url = "https://accounts.google.com/o/oauth2/token";
HttpsURLConnection con = (HttpsURLConnection) obj.openConnection();
con.setChunkedStreamingMode(0);
con.setRequestMethod("POST");
con.setRequestProperty("Host", "accounts.google.com");
con.setRequestProperty("Content-Type",
        "application/x-www-form-urlencoded");
con.setRequestProperty("code", authCode);
con.setRequestProperty("client_id",
        "[CLIENT_ID]");
con.setRequestProperty("client_secret", "[CLIENT_SECRET");
con.setRequestProperty("redirect_uri",
        "http://localhost:8080/login");
con.setRequestProperty("grant_type", "authorization_code");

// Send post request
con.setDoOutput(true);

I did have to set con.setChunkedStreamingMode(0) because the server was returning an error related to content length.

Any ideas? Could it be necessary to put the payload in a single line? how?

回答1:

I believe the reason for the HTTP 400 (Bad Request) is you are sending code, client_id, client_secret, grant_type, and redirect_uri as HTTP request headers where you need to be sending them as query parameters in the body of the HTTP POST request (according to the Google OAuth2InstalledApp docs).

Take a look at Using java.net.URLConnection to fire and handle HTTP requests for a good example of how to send the HTTP POST. You'll need to take code, client_id, etc. and write them as a query string in the body:

// partial example only: only code and client_id are included
String query = String.format("code=%s&client_id=%s", code, client_id);  
OutputStream out = con.getOutputStream();
out.write(query.getBytes("UTF-8"));

From the Google OAuth2 documentation, a sample HTTP POST request might look something like this:

POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded

code=4/v6xr77ewYqhvHSyW6UJ1w7jKwAzu&
client_id=8819981768.apps.googleusercontent.com&
client_secret={client_secret}&
redirect_uri=https://oauth2-login-demo.appspot.com/code&
grant_type=authorization_code

来源：https://stackoverflow.com/questions/19625621/googles-oauth-endpoint-is-returning-a-bad-request-but-why