I am trying to implement the "Trouble Signing In" link endpoint on my back end. I followed the steps enumerated here, and I am successfully getting a POST request via my Gitkit Widget JavaScript, but there seems to be some missing information in the request.

As soon as I call

OobResponse oobResponse = Utils.getGitkitClient().getOobResponse(request);

the following stack trace is thrown. I'll only include the first few lines for the sake of brevity.

com.google.identitytoolkit.GitkitServerException: org.json.JSONException: JSONObject["oobCode"] not found.
    at com.google.identitytoolkit.GitkitClient.getOobResponse(GitkitClient.java:411)
    at com.google.identitytoolkit.GitkitClient.getOobResponse(GitkitClient.java:372)
    at myProject.myController.sendEmail(myController.java:86)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
...

Just so you can rule this out as a possible cause of the issue, here are the contents of the utility method I use to get my GitkitClient instance:

public static GitkitClient getGitkitClient() throws FileNotFoundException {
    GitkitClient gitkitClient = GitkitClient
            .newBuilder()
            .setGoogleClientId(Constants.CLIENT_ID)
            .setServiceAccountEmail(Constants.SERVICE_ACCOUNT_EMAIL)
            .setKeyStream(new FileInputStream(Constants.SERVICE_ACCOUNT_PRIVATE_KEY_FILE_PATH))
            .setWidgetUrl(Constants.WIDGET_URL)
            .setCookieName(Constants.COOKIE_NAME)
            .build();
    return gitkitClient;
}

Here is my sendEmail endpoint method signature (I'm using Spring Boot):

@RequestMapping(value = "/sendEmail", method = RequestMethod.POST)
@ResponseBody
public void sendEmail(HttpServletRequest request, HttpServletResponse response) {

And finally, here are the contents of the HttpServletRequest that is passed into my sendEmail method:

Request Method

POST

Request Headers

Header name: host  
Header value: example.com:8080

Header name: connection  
Header value: keep-alive

Header name: content-length  
Header value: 1100

Header name: origin  
Header value: http://example.com:8080

Header name: user-agent  
Header value: Mozilla/5.0 (Linux; Android 5.0.2; HTC6500LVW Build/LRX22G; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/46.0.2490.76 Mobile Safari/537.36

Header name: content-type  
Header value: application/x-www-form-urlencoded;charset=UTF-8

Header name: accept  
Header value: */*

Header name: referer  
Header value: http://example.com:8080/myProject/callback?mode=recoverPassword&[email protected]

Header name: accept-encoding  
Header value: gzip, deflate

Header name: accept-languag
Header value: gzip, deflate

Header name: accept-language  
Header value: en-US

Header name: x-requested-with  
Header value: [MY APP PACKAGE NAME OMITTED]

Request Parameters

Parameter name: action  
Parameter value: resetPassword

Parameter name: email  
Parameter value: [email protected]

Parameter name: challenge  
Parameter value:

Parameter name: response  
Parameter value: 03AHJ_Vuued2d7eKM-hD[... CONTENTS OMITTED ...]G1mzdsuc8

Notice that the request parameter "challenge" is the empty string, and that there is no mention of "oobCode," as the stack trace so aptly points out.

Am I missing something here? Do I need to take an extra step in my widget endpoing? Do I need to add something more to my HTML file that houses my JavaScript widget? Any help would be greatly appreciated!

After talking to someone working on identity toolkit in Google, I was told that there was a misconfiguration on their end in the Identity Toolkit project. After they made some changes I can now successfully call the aforementioned getOobResponse(HttpServletRequest req) method without getting a stack trace!