"invalid_scope" when trying to get oauth2 access token

Question

I'm following the docs at https://developers.google.com/photos/library/guides/authentication-authorization, and believe the below code is quite close to correct ...

import requests

# from https://developers.google.com/identity/protocols/OAuth2ForDevices#step-1-request-device-and-user-codes
def get_token(client_id="661666866149-42r2bldb8karc5bv5vltj0suis2fm4up.apps.googleusercontent.com"):
    response = requests.post(
        'https://accounts.google.com/o/oauth2/device/code',
        data={
            'client_id': client_id,
            'scope': 'https://www.googleapis.com/auth/photoslibrary https://www.googleapis.com/auth/photoslibrary.readonly.appcreateddata https://www.googleapis.com/auth/photoslibrary.sharing'
        })
    print(response.text)
    return response

The above keeps failing with

{ "error": "invalid_scope" } <Response [400]>

However, if I change the scope value to just email, that works. I got the value above from google's docs, so I don't know what else to put there.

Answer 1

It looks like you are following the guide for OAuth 2.0 for TV and Limited-Input Device Applications to authorize OAuth user scopes on a TV or similar device.

As outlined on that page, this flow only supports a limited set of scopes. Unfortunately this does not currently include the Google Photos Library API scopes.

There's a feature request open on the issue tracker to add support for this OAuth flow here: https://issuetracker.google.com/113342106 (You can "star" the issue to be notified of any updates.)

(If your flow involves a mobile device and a server component, you might be able to accomplish something similar with Google sign-in by exchanging user credentials between your server and Google Services. You could prompt users to authorize the scope in your app and after exchanging tokens with your server, make API calls that way. You'd have to handle the link between the TV/limited-input device and your app yourself.)