2

I am writing an application that uses the Spreadsheets API. Because I am using the write scope, which is sensitive, the OAuth2 redirect URI must use https instead of http (except when using localhost).

The credential object used in my API calls are fethed like this:

@Bean
public Credential credential(@Autowired LocalServerReceiver localServerReceiver) throws GeneralSecurityException, IOException {
    HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
    // Load client secrets from your credentials JSON file
    InputStream credentialsStream = Talespire.class.getResourceAsStream(GOOGLE_SHEETS_CLIENT_SECRET_JSON);
    GoogleClientSecrets clientSecrets = GoogleClientSecrets.load(JSON_FACTORY, new InputStreamReader(credentialsStream));
    // Set up authorization code flow
    GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
            httpTransport, JSON_FACTORY, clientSecrets, SCOPES)
            .setDataStoreFactory(new FileDataStoreFactory(new java.io.File("tokens")))
            .setAccessType("offline")
            .setApprovalPrompt("force")
            .build();

    return new AuthorizationCodeInstalledApp(flow, localServerReceiver).authorize("user");
}

The injected LocalServerReceiver is set up using the Builder it provides. In my dev environment, I set it up using localhost as host, which works fine since it does not require http. However, when moving to the production environment, there is no way to set the host (which is used to determine the callback URL) to use https-scheme. If it set host to https://app.comain.com, the resulting callback URL becomes http://https://app.domain.com/Callback which is obviously wrong. If I sneakily try to manually change the redirect-uri parameter in the authentication URL (to use https instead of http), I get an authorization-error (Error 400: bad_request) from Google when opening it in the browser. I am suspecting https require additional parameters or something, but I cannot find any documentation about it.

The LocalServerReveiver code (source https://github.com/googleapis/google-oauth-java-client/blob/main/google-oauth-client-jetty/src/main/java/com/google/api/client/extensions/jetty/auth/oauth2/LocalServerReceiver.java) is hardcoded to use the http-scheme (line 138), so I do not see a built-in method to set this up with the https-scheme, like specified.

Does anybody know how I can get around this?

Relevant libs/dependencies LocalServerReceiver: google-oauth-client-jetty-1.34.1.jar GoogleAuthorizatoinCodeFlow: google-api-client-1.35.2.jar AuthorizationCodeInstalledApp: google-oauth-client-java6-1.34.1.jar

edit: While reading through this post, it strikes me that perhaps the AuthorizationCodeInstalledApp is not the correct class to use to generate the Credential object here (based on its name and the fact that the dependency uses "java6" in its name). Could this be the case, and that I need to use a different class for this? And if so, which one should I use?

Improve this question
2
  • your using code for an installed app "AuthorizationCodeInstalledApp" Make sure you created native app credentials on google developer console. I suspect you have created web app credentials. Redirect uri wont be an issue once you are using the correct type of credentials Commented Nov 4, 2023 at 13:46
  • Hi, I have exactly the same problem. LocalServerReceiver is hard coded to create an http callback, but in production you must have https and hence I cannot authenticate. Did you ever solve this problem? Commented Feb 23, 2024 at 17:04

2 Answers 2

Reset to default
1

I struggled a long time with this issue.

I think that LocalServerReceiver class use in the Google quickstart code is not intended for anything than a local test of your App.

I've made a working sample project here https://github.com/kemkem/google-drive-oauth-spring-boot

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

There are several types of apps you can create. Lets look at two these two have redirect uris.

  1. web
  2. installed

The redirect uri tells the authorization server where to return the authorization code to. In the case of a web app it would be the domain where the app is hosted. in the case of an installed app it is localhost or the machine the app is running on. That is why installed apps have an inbuilt redirect uri hard coded in the code.

If you are creating an installed app you use AuthorizationCodeInstalledApp and create native app credentials. These credentials do not have the ability to change the redirect uri as its in built. as you have seen.

Web apps on the other hand use GoogleAuthorizationCodeFlow.Builder and send the redirect uri that is configured in your application. They require that you create web app credentials and configure the redirect uri in google cloud console.

So i suspect you have one of two issues.

  1. You are currently using code for an installed app. Make sure you created native app credtails.
  2. You are trying to create a web app and are using the wrong code. Change your code to support web application.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.