POST Request To SendEmail Endpoint Causes Org.json.JSONException: JSONObject["oobCode"] Not Found. After Calling GitkitClient.getOobResponse(request);

I am trying to implement the "Trouble Signing In" link endpoint on my back end. I followed the steps enumerated here, and I am successfully getting a POST request via my Gitkit Widget JavaScript, but there seems to be some missing information in the request.

As soon as I call

OobResponse oobResponse = Utils.getGitkitClient().getOobResponse(request);

the following stack trace is thrown. I'll only include the first few lines for the sake of brevity. org.json.JSONException: JSONObject["oobCode"] not found.
    at myProject.myController.sendEmail(
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(

Just so you can rule this out as a possible cause of the issue, here are the contents of the utility method I use to get my GitkitClient instance:

public static GitkitClient getGitkitClient() throws FileNotFoundException {
    GitkitClient gitkitClient = GitkitClient
            .setKeyStream(new FileInputStream(Constants.SERVICE_ACCOUNT_PRIVATE_KEY_FILE_PATH))
    return gitkitClient;

Here is my sendEmail endpoint method signature (I'm using Spring Boot):

@RequestMapping(value = "/sendEmail", method = RequestMethod.POST)
public void sendEmail(HttpServletRequest request, HttpServletResponse response) {

And finally, here are the contents of the HttpServletRequest that is passed into my sendEmail method:

Request Method


Request Headers

Header name: host  
Header value:

Header name: connection  
Header value: keep-alive

Header name: content-length  
Header value: 1100

Header name: origin  
Header value:

Header name: user-agent  
Header value: Mozilla/5.0 (Linux; Android 5.0.2; HTC6500LVW Build/LRX22G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/46.0.2490.76 Mobile Safari/537.36

Header name: content-type  
Header value: application/x-www-form-urlencoded;charset=UTF-8

Header name: accept  
Header value: */*

Header name: referer  
Header value:[email protected]

Header name: accept-encoding  
Header value: gzip, deflate

Header name: accept-languag
Header value: gzip, deflate

Header name: accept-language  
Header value: en-US

Header name: x-requested-with  

Request Parameters

Parameter name: action  
Parameter value: resetPassword

Parameter name: email  
Parameter value: [email protected]

Parameter name: challenge  
Parameter value:

Parameter name: response  
Parameter value: 03AHJ_Vuued2d7eKM-hD[... CONTENTS OMITTED ...]G1mzdsuc8

Notice that the request parameter "challenge" is the empty string, and that there is no mention of "oobCode," as the stack trace so aptly points out.

Am I missing something here? Do I need to take an extra step in my widget endpoing? Do I need to add something more to my HTML file that houses my JavaScript widget? Any help would be greatly appreciated!



After talking to someone working on identity toolkit in Google, I was told that there was a misconfiguration on their end in the Identity Toolkit project. After they made some changes I can now successfully call the aforementioned getOobResponse(HttpServletRequest req) method without getting a stack trace!