asp.net-mvcgoogle-apipostmanoauth2-playground

Why do only OAuth 2.0 Playground access tokens work for Google API?


I have created OAuth 2.0 Playground access tokens using the following info:

  1. Select & Authorize APIs: https://www.googleapis.com/auth/consumersurveys https://www.googleapis.com/auth/userinfo.email

  2. GET https://www.googleapis.com/consumersurveys/v2/surveys

  3. This works (for me it returns a list of surveys I had created previously).

However, when I create access tokens using Postman OR retrieve them from AspNetUserClaims table those access tokens don't work.

Example #1: I get an access token in Postman for Google and add it to the Header (a checkmark appears for Bearer and token). I press Send in Postman and it returns "Invalid_Credentials". In case the token is expired or invalid, I delete it and create a new one to use in the header. Still fails.

POSTMAN info:
Auth URL: https://accounts.google.com/o/oauth2/auth
Access Token URL: https://accounts.google.com/o/oauth2/token
Client ID: hidden
Client Secret: hidden
Scope: https://www.googleapis.com/auth/userinfo.email
Grant Type: Authorization Code
Request access token locally is checked.

Example #2: I use the Google Sign-On button on my dev site which generates an access token that is then stored in the AspNetuserClaims table. I copy that access token into Postman (a checkmark appears also) and press Send and it also returns "Invalid_Credentials". In case the token is expired, I delete the newly created account and access token from all the AspNet user tables and try it again. Still fails.

Why is this only working with OAuth 2.0 Playground tokens in Postman? They are all newly generated tokens through the Postman token wizard or newly registered user accounts or the OAuth2.0 Playground wizard, but only the OAuth2.0 Playground tokens actually work...


Solution

  • Figured this out.

    I believe the issue was that the access token in Postman required more scopes to authenticate me fully, which makes sense since this API contains surveys that I am trying to access, which are also linked to a Google account. This started working only after I added the consumersurveys.readonly scope (using A SPACE) along with the userinfo.email scope, as outlined below.

    This SCOPE SETTING alone didn't work: https://www.googleapis.com/auth/userinfo.email

    This SCOPE SETTING with more permission to this API DID work! https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/consumersurveys.readonly

    More info on adding scopes to C# code can be found here: http://www.oauthforaspnet.com/providers/google/

    Hope this helps anyone else out there who runs into a similar issue.