While I’d been meaning to play with Google’s applications – and integrating them with our own Affinity – for some time, the launch of the Marketplace pushed this experimentation up the priority list.
After spending a fair bit of time hacking on a Sunday, I’d managed to re-purpose our OAuth platform to play nicely with Google, including their need to have the scope variable passed as a part of the token request process.
Regardless, I’d gotten really really really frustrated with a persistent error. While it is now really obvious, I missed it and it cost me a few hours and a lot of frustration, so hopefully this blog will help someone else trying to solve this into the future.
After correctly getting my token and secret for a specific user – and asking for quite a few scope options – I was still getting the error Token invalid – AuthSub token has wrong scope when I was trying to access a document list via OAuth.
While this error talks about AuthSub, I’ve now discovered it is really a generic error message, and applies to any case where the scope of access doesn’t match what you’re asking for, whether it is OAuth or AuthSub. This confusing error message had me off the scent for a while as I started to wonder whether OAuth was supported as widely as I had expected, whether there was a difference between paid and free accounts, and so on…
The problem in my case is that I’d requested a scope to http://docs.google.com/feeds/, but using the example code at Google’s Documents Developer Guide I was then going on to interrogate https://docs.google.com/feeds/.
To emphasise, GOOGLE THINKS THAT HTTP IS COMPLETELY DIFFERENT TO HTTPS IN ITS NON-STANDARD ‘SCOPE’ TRACKING EXTENSION TO OAUTH.
To make matters worse, even when you explicitly ask for https based feed scopes, Google doesn’t even show them to the user. Seems like in some cases, Google thinks the http vs https distinction doesn’t matter, but when it does care about it, it doesn’t give you an error message that’s any use at all.
Google can't make up its mind if https and http are interchangeable in a scope: each of these scope requests were with https prefixes.
Unfortunately, Google’s own access summary interface doesn’t clarify which versions of the domains are http, and which one’s are https.
So, in summary, if you’re getting a “Token Invalid – AuthSub token has wrong scope” error when you’re trying to use OAuth (or even AuthSub for that matter?), make sure the scope you’re requesting is using the same protocol as you’re using – http vs https makes a very big difference.
geoffmcqueen.com 
arf… I almost wanted to cry when i’ve found your post… big thanks.
Whith OAuth, for almost every providers, it always fails to work for those kind of extremely subtile details
No worries – glad it helped!!!
@Geoff McQueen
really thanks for your post.That a lot help.
You have no idea how much I love you .. That was driving me CRAZY! Thank you thank you thank you !!
Aaron
Geoff – You rock! Extremely frustrating issue to deal with.
Thanks for the heads up. You saved me a ton of time. REALLY appreciate it.
haha,thanks man. /kiss
Thanks man!!
Another thingie I cannot fully grasp is that the URIs of some GData are different than the scope I asked for:
For example my contacts have this edit url:
http://www.google.com/m8/feeds/contacts/panosjee%40gmail.com/full/37db153890c4488
so when i try to fetch them i have the same problem as you did. Once I remove my email from the url and replace it for default it all works again
http://www.google.com/m8/feeds/contacts/default/full/37db153890c4488
I owe you a beer. You just saved me from tossing a computer out the window I’m sure…
This was so lame from google, thanks a lot!
After having about 3-4 hours spent your post saved me from spending more. Don’t know how to thank you. (seems like I’m not the only thankful here tho =D)
Thanks for the hint. That one hour of my time that i cant get back. Thanks again man ^_^
I spent almost ALL day doing this… thanks a lot Geoff!
Thanks a bunch mate. Damn the Google API docs http://code.google.com/apis/calendar/data/1.0/developers_guide_python.html
Just dropped the s from the scope and it works.
Thanks a million, I still struggled with multiple scopes because while setting the FeedURI for docs I forgot to drop the s 🙂
It’s very incredible ! Thanks for the explanation.
After struggling with OAuth for quite some time I finally got a way to get the token.AND THEN there was this error.
You really saved my life!!
Thank you
Hey Geoff, great post. Like a lot of folks we’re glad we found your advice before spending hours scratching heads trying to diagnose this.
Thank you Geoff,
I had the same issue when retrieving a calendar EventEntry using the EventEntryID retrieved when the calendar EventEntry was first created.
Unfortunately, even though the EventEntry was created using an SSL connection, the returned EventEntryID had a ‘HTTP’ prefix. I simply replaced ‘HTTP’ with ‘HTTPS’ and it worked like a charm.
VB .Net snippet
‘ the stored evententryid is prefixed with http,
‘ but the authsub scope is https
‘ Google.GData.Client.GDataRequestException()
‘ 401 Token invalid – AuthSub token has wrong scope
strEventEntryID = strEventEntryID.Replace(“http”, “https”)
Respectfully yours,
Alan
Thanks for this post, I was having the same problem and could not figure it out.
Just one more Thank you!
Pingback: "your authorization header here", what’s that? | Gravity Layouts
Thank you..!! That saved my day 🙂
Thank you!!!
Hi Geoff,
Thanks for the write up and it is very helpful.
I am still struggling with this error when I tried to use google calendar. I am setting the scope as below in omniauth initialize file:
:scope => [“https://www.google.com/calendar/feeds/”, “https://docs.google.com/feeds/”]
I am able to access google docs but when I try to access calendar, I get the same token invalid error … Any other suggestions to troubleshoot the issue? Do I need to set the scope some other way for calender API?
Thanks,
Tom
I know this is an old post, but I just wanted to say you helped me out of many hours of frustration. Thanks.
Thanks https is really slightly different from http. Solved my problem and saved my day. Applause and big ungay kiss.
Cheers Tony
Cheers Geoff! The entry still serves great purpose – your post saved another bunch of hours spent struggling with an error worth of one letter.
Here my contribution to this very time consuming issue. It is maybe possible that if you use https Host Header and you add the port 443 to this value (Host: google.com:443) it could be the case that “Token invalid – AuthSub token has wrong scope” is the generated response. The OAuth2 implementation is very strict! But not all feeds. I have the problem with spreadheets. For further info see my post at google forum https://groups.google.com/forum/#!topic/oauth2-dev/-3DB0SC96lo
hi ..thanks for the replay .In market place i set the scope for spreadsheet like this
https://spreadsheets.google.com/feeds/
This app create a spreadsheet
but i got
Token invalid – AuthSub token has wrong scope
Token invalid – AuthSub token has wrong scope
Error 401
this exception how can i solve this please help me
Hi thanks for your solution but mine still not working.
I am using contact API
My site uses http
So I remove
https://www.google.com/m8/feeds/contacts/default/full
To
http://www.google.com/m8/feeds/contacts/default/full
Still same error. Need help =(
I was banging my head against the wall until I found your post!
Thanks!
Pingback: Is SSL required to use the google plus api? | StackAnswer.com
Pingback: Ruby: Create and share Google Drive Spreadsheet at Mark Needham