[SOLVED] Google Ads oauth2l fetching a refresh token reports missing 'type' field in credentials

Google Ads oauth2l fetching a refresh token reports missing 'type' field in credentials

I am following Google Ads documentation to fetch a refresh token. I have got to this step: https://developers.google.com/google-ads/api/docs/get-started/make-first-call#fetch_a_refresh_token

oauth2l fetch --credentials credentials.json --scope adwords \
    --output_format refresh_token

When I run the above command I get the error missing 'type' field in credentials

I found answers similar to this: https://github.com/GeneralElectric/GABeat/issues/2

So I tried adding "type": "service_account" to the json file but then I get this error instead: "private key should be a PEM or plain PKCS1 or PKCS8; parse error: asn1: syntax error: sequence truncated"

Below is the credentials.json file (after I added the "type" field). The original was downloaded during this step of the Google Ads documentation: https://developers.google.com/google-ads/api/docs/get-started/oauth-cloud-project#id-secret

{
  "type": "service_account",
  "web": {
    "client_id": "XXXXXXXXXX.apps.googleusercontent.com",
    "project_id": "XXXXXXXXXX",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_secret": "XXXXXXXXXX",
    "javascript_origins": [
      "https://XXXXXXXXXX.co.uk"
    ]
  }
}

Solution

It looks as if oauth2l only executes a three-legged OAuth2 flow when a localhost redirect URL is included in the credentials file and gives a somewhat misleading error message if that's not the case.

This version of credentials.json should work:

{
  "web": {
    "client_id": "XXXXXXXXXX.apps.googleusercontent.com",
    "project_id": "XXXXXXXXXX",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_secret": "XXXXXXXXXX",
    "javascript_origins": [
      "https://XXXXXXXXXX.co.uk"
    ],
    "redirect_uris": [
      "http://localhost"
    ]
  }
}

Note that the flow might then still not work at a later stage because you also need to configure the given redirect URLs in the settings of your OAuth client in the GCP console. To fix that, you might need to create a new OAuth application of type "Desktop app" as indicated in the documentation you linked to.