All of a sudden getting invalid_scope errors with Google

[guidedways]

Describe the bug
We've been using the AppAuth library for accessing the user's email account (reading emails) for years. All of a sudden a few days ago it stopped. The same code now produces a invalid_scope error.

To Reproduce

OIDServiceConfiguration *config = [[OIDServiceConfiguration alloc] initWithAuthorizationEndpoint: [NSURL URLWithString: IN_APP_EMAIL_GMAIL_AUTHURL]
                                                            tokenEndpoint: [NSURL URLWithString: IN_APP_EMAIL_GMAIL_TOKENURL]];

[[OIDAuthorizationRequest alloc] initWithConfiguration: config
                                                         clientId: CLIENT_ID
                                                     clientSecret: CLIENT_SECRET
                                                           scopes: @[OIDScopeOpenID, OIDScopeProfile, OIDScopeEmail, @"https://mail.google.com/"]
                                                      redirectURL: [NSURL URLWithString: @"com.googleusercontent.appsSOMEAPPURL:/oauthredirect"]
                                                     responseType: OIDResponseTypeCode
                                             additionalParameters: @{@"login_hint": username}];

The user is correctly taken to the login screen, and the error only shows up when they tap 'accept' and the app returns to focus.

Here's the error we see:

Authorization error: invalid_scope: Some requested scopes were invalid. {invalid=[https://www.googleapis.com/auth/plus.me+https://www.googleapis.com/auth/userinfo.profile+https://www.googleapis.com/auth/userinfo.email+https://mail.google.com]} - http://code.google.com/apis/accounts/docs/OAuth2.html

I'm not sure which scope in particular is invalid and what to do in order to fix it, as it was working fine for 4+ years.

This is happening across all iOS versions.

[guidedways]

Okay, Google broke something. The following scopes work instead just fine:

scopes: @[@"https://mail.google.com/"]

Essentially removing OIDScopeOpenID, OIDScopeProfile, OIDScopeEmail worked. I'm not sure if this is an App-Auth related issue or something server-side. As I mentioned, this was working for 4 years+ when it suddenly stopped three or so days ago for dozens of users.

[ProdCompDev]

We're experiencing the same error on attempting to authenticate to Google.

To Reproduce

NSArray<NSString *> *scopes = @[ kGTLRAuthScopeTasks, // Tasks API
                                 kGTLRAuthScopeGmailMailGoogleCom, // GMail API
                                 kGTLRAuthScopeCalendar, // Calendar API
                                 kGTLRAuthScopePeopleServiceContacts ]; // PeopleService API

OIDAuthorizationRequest *request = [[OIDAuthorizationRequest alloc] initWithConfiguration:configuration
                                                                                 clientId:kClientID
                                                                             clientSecret:kClientSecret
                                                                                   scopes:scopes
                                                                              redirectURL:localRedirectURI
                                                                             responseType:OIDResponseTypeCode
                                                                     additionalParameters:nil];

Like @guidedways above, after the user accepts the authorization request, we get the same authorization error:
"error_description" = "Some requested scopes were invalid. {invalid=[https://www.googleapis.com/auth/tasks+https://mail.google.com/+https://www.googleapis.com/auth/calendar+https://www.googleapis.com/auth/contacts]}"

These four scopes, broad as they are, were working without issue up until two days ago. Providing string literals of the scopes vs. the GTLR-defined scope definitions does not change the behavior for the better.

[Stroustrup-Lee]

@ProdCompDev AppAuth just use the scope string returned from Google to compose a new request in OIDTokenRequest.m. And the scope string returned from Google contains '+' but Google treats it as invalid. Confused!!!

[WilliamDenniss]

This was an AppAuth bug, triggered by a change in Google OAuth behavior. Google started to return "scope" in the authorization response (which is spec-compliant), using "+" to encode space (also spec-compliant). AppAuth did not correctly decode the "+" as space, looped it back on the token request, triggering an invalid scope error (as the scope string was munged).

The change was rolled back server-side for iOS, so you should stop seeing this issue. We're fixing AppAuth, at which time you should consider updating.

Aside: application/x-www-form-urlencoded is a real pain, even it's own spec doesn't like it 🤣

the application/x-www-form-urlencoded format is in many ways an aberrant monstrosity

[WilliamDenniss]

Fixed client side by #291.