Google OAuth 2.0 failing with Error 400: invalid_request

[AbeEtan]

Hello lovely people!

I have done everything right, but I am getting this error. Any idea on how to fix this error?

Thank you!

[jackkamm]

What do the error details say?

[grauschnabel]

Same here:

Fehler 400: invalid_request
The out-of-band (OOB) flow has been blocked in order to keep users secure. Follow the Out-of-Band (OOB) flow migration guide linked in the developer docs below to migrate your app to an alternative method.
Anfragedetails: redirect_uri=urn:ietf:wg:oauth:2.0:oob

The oauth2 libraray uses the out of band mechanism which is no longer supported by google.
Also the other way the loopback method is no longer supported.

I tried to fix that but it seems that you need to use a google sdk for that now. Maybe someone knows more about that?

[grauschnabel]

It seems that there is a fix: kidd/org-gcal.el#191 . It is basically they switchend from oauth2 to oauth2-auto

[jackkamm]

Looks like @MartinNowak is working on getting oauth2-auto into MELPA, in this comment he says it is with org-caldav in mind:

telotortium/emacs-oauth2-auto#3 (comment)

@MartinNowak have you started working on modifying org-caldav to use oauth2-auto? I am not currently using org-caldav with Google, so any help is appreciated.

[jackkamm]

Link to duplicate version of this issue:
#249

[boogsbunny]

The PR has been merged in and oauth2-auto is now in MELPA.

[grauschnabel]

Does this mean it should work again? In this case, is there more information about how to use it?

[AbeEtan]

Does this mean it should work again? In this case, is there more information about how to use it?

Yes, it's working like a charm :)

Just follow the instructions.

Make sure you enable both Calendar and Caldav APIs. If you need more help don't hesitate to ask me.

[grauschnabel]

Oh, I think I know my issue. Could you just give a short hint how to switch from oauth2 to oauth2-auto ?

[AbeEtan]

Oh, I think I know my issue. Could you just give a short hint how to switch from oauth2 to oauth2-auto ?

Definitely!

Please go here and follow the installation instructions. They should be the exact same whether you use org-gcal or org-caldav.

https://github.com/emacsmirror/org-gcal?tab=readme-ov-file#installation

Please do not hesitate to ask again if you have any concerns or questions.

Abe

[grauschnabel]

If i remove the oauth2 package org-caldav says oauth2 is missing, but the oauth2-auto is installed. If i install the oauth2 package again, i get the Error 400 again. For me it looks like org-caldav has to do changes to use oauth2-auto instead of oauth2. I don't figure out how you did it.

[grauschnabel]

After all I could fetch my google events with org-gcal, but I don't get it working with org-caldav. Can you help me with that?

[AbeEtan]

After all I could fetch my google events with org-gcal, but I don't get it working with org-caldav. Can you help me with that?

Can you please share your config in your init file. Possibly share a screenshot of the error you are facing.

[boogsbunny]

I'm not sure why @AbeEtan says it's fixed. It's not.

The oauth2-auto package has recently been added to MELPA, which uses the new oauth flow. However, it hasn't been integrated with this repository yet. We still need a PR for Google to work again.

[grauschnabel]

Thanks, @boogsbunny, thats exactly what i thought.

[AbeEtan]

I am able to sync with my google calendar and bidirectional as well. No issues what so ever.

[grauschnabel]

@AbeEtan Are you sure you are using org-caldav for that? Seems wired, because if you look at the code, you will see, there is no code from oauth2-auto used, only oauth2 is implemented.

Or is there a way to authenticate with oauth2-auto and reuse it with oauth2? So maybe you can explain what exactly you are doing to get it working?

I also got it working with org-gcal, but the solution is not what I want, I would have to make all apointments new because of the id handling there.

[AbeEtan]

I apologize for the miscommunication. I am using oauth2 and not oauth2-auto.

That being said, oauth2 works but malfunctions constantly and I have to re-authenticate again. A similar issue is reported here: #152

When re-authenticate, I get a warning message Warning (org-roam): SQL constraint violation: "UNIQUE constraint failed: nodes.id", 19, nil, "constraint failed"

[durableOne]

I'm not sure why @AbeEtan says it's fixed. It's not.

The oauth2-auto package has recently been added to MELPA, which uses the new oauth flow. However, it hasn't been integrated with this repository yet. We still need a PR for Google to work again.

I have a working solution but can't make a PR for it because my code is a mess and likely inefficient as it doesn't handle caching the credentials or anything like that. It's modeled after the org-gcal solution. I'm posting it here in case it can help others and (hopefully) speed along the "real" fix. The solution requires oauth2-auto and aio and copies some code related to the plstore from oauth2.el

(defun org-caldav-retrieve-oauth2-token (provider calendar-id)
  "Do OAuth2 authentication for PROVIDER with CALENDAR-ID."
  (if (eq provider 'google)   ;;; <--------------------------------------
      (org-caldav-retrieve-oauth2-token-google calendar-id) ;;; <-------------------------
    (let ((cached-token
	       (assoc
	        (concat (symbol-name provider) "__" calendar-id)
	        org-caldav-oauth2-tokens)))
      (if cached-token
	      (cdr cached-token)
        (let* ((ids (assoc provider org-caldav-oauth2-providers))
	           (token (oauth2-auth-and-store (nth 1 ids) (nth 2 ids) (nth 3 ids)
					                         org-caldav-oauth2-client-id
					                         org-caldav-oauth2-client-secret)))
	      (when (null token)
	        (user-error "OAuth2 authentication failed"))
	      (setq org-caldav-oauth2-tokens
	            (append org-caldav-oauth2-tokens
		                (list (cons (concat (symbol-name provider) "__" calendar-id)
				                    token))))
	      token)))))

(defun org-caldav-retrieve-oauth2-token-google (calendar-id)
  (let* ((org-caldav
          `(org-caldav (authorize_url . "https://accounts.google.com/o/oauth2/v2/auth")
          (token_url . "https://www.googleapis.com/oauth2/v4/token")
          (scope . "https://www.googleapis.com/auth/calendar")
          (client_id . ,org-caldav-oauth2-client-id)
          (client_secret . ,org-caldav-oauth2-client-secret)))
         (oauth-pl (aio-wait-for
                    (oauth2-auto-plist calendar-id 'org-caldav)))
         (plstore (plstore-open oauth2-token-file))
         (id (oauth2-compute-id (cdr (assoc 'authorize_url org-caldav))
                                (cdr (assoc 'token_url org-caldav))
                                (cdr (assoc 'scope org-caldav))
                                org-caldav-oauth2-client-id))
         (plist (cdr (plstore-get plstore id))))
    (when (not (assoc 'org-caldav oauth2-auto-additional-providers-alist))
      (add-to-list
       'oauth2-auto-additional-providers-alist
       org-caldav))
    (make-oauth2-token
     :plstore plstore
     :plstore-id id
     :access-token (plist-get oauth-pl :access-token)
     :refresh-token (plist-get oauth-pl :refresh-token)
     :token-url  (cdr (assoc 'token_url org-caldav))
     :client-id org-caldav-oauth2-client-id
     :client-secret org-caldav-oauth2-client-secret
     :access-response (plist-get plist :access-response))))