Home/ Questions/Q 8386155
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T17:51:27+00:00

I have a Rails website that has Google OAUTH2 implemented and working. We are

  • 0

I have a Rails website that has Google OAUTH2 implemented and working.

We are developing an iOS app, which is going to talk to my web server using APIs. Some of the APIs need the user to be authenticated. The idea, is that the iOS app authenticates the user using OAUTH2 on the device, then POSTs the token over SSL from the device to the web as the authentication. I need the website to verify the token.

In the Google API console, I added the client ID for the iPhone device, and got an access token by going to:

https://accounts.google.com/o/oauth2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&
response_type=code&
client_id={my client id}

Then, I pass the token to my site. On my site, I validate the token via:

google = OmniAuth::Strategies::GoogleOauth2.new(ENV['GOOGLE_API_KEY'],['GOOGLE_CLIENT_API_SECRET'])
client = OAuth2::Client.new(ENV['GOOGLE_API_KEY'],['GOOGLE_CLIENT_API_SECRET'], google.options.client_options)
access_token = OAuth2::AccessToken.new(client, params[:token], google.options.access_token_options || {})
google.access_token = access_token
google.auth_hash

When I attempt to auth_hash, the following error is returned:

 {
  "error": {
   "errors": [
    {
     "domain": "global",
     "reason": "authError",
     "message": "Invalid Credentials",
     "locationType": "header",
     "location": "Authorization"
    }
   ],
   "code": 401,
   "message": "Invalid Credentials"
  }
 }

From here, I have no clue why I have specified invalid credentials.

ENV['GOOGLE_API_KEY'] points to the same API key as the website, and ENV['GOOGLE_CLIENT_API_SECRET'] points to the secret for the iOS client.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The URL I used above, I thought, gave me an access token. In reality, it returns to me an authorization code (which can then be used to get an access token).

    The solution, is to exchange the authorization code, for an access token, then I can pass the token around and use it.

    The difference between an authorization code and an access token is somewhat vague on the Google site, but you can read about how to exchange them here:
    https://developers.google.com/accounts/docs/OAuth2WebServer

    • 0