Google oauth2 and 400 bad request: Bug on Google side?

Mark picture Mark · May 13, 2015 · Viewed 7.9k times · Source

We have Google oauth2 working fine on our website. However, often Chrome users complaint about 400 Bad request and we were able to reproduce it now. Based on the investigation, it indeed looks like a bug on Google side:

  1. It only happens with users who were authenticated earlier and logged-in with multiple accounts on GMail
  2. It doesn't happen when the same user uses incognito window.
  3. This problem is universal and not only with our website. At this moment, I am not able to login using google oauth2 on any website including StackOverflow. Stackoverflow site also gives the same 400 Bad request error and I have to use incognito.
  4. No additional information is present along with 400 Bad Request Error
  5. To further confirm, I just loaded https://accounts.google.com/o/oauth2/auth without any parameters and it also gave 400 Bad request. However, if I load it in incognito, it gives Error: invalid_request. So there is indeed different behavior.
  6. So We suspected that the problem might be with cookies sent along with request since incognito window has no cookies. So we cleared all the cookies for domain accounts.google.com and problem magically solved. This confirms that Google side of code is not able to handle their own cookies.

We really need to solve this. Please help. Do let me know if you need any information.

Answer

raisercostin picture raisercostin · May 28, 2015

This might be caused only for the clients that have multiple google accounts logged in as described here Google OAuth2 returns Bad Request when logged with multiple accounts.

It is not clear to me if is a google bug or a miss-use of the api. Anyway stackoverflow is affected as well.