Working with Google Apps Script, trying to authorize the app, one of the headers I was getting back from /authorize-app included error=invalid_scope. The redirect page was claiming that the state token was invalid or expired.

After investigating the error, I found an issue on the Google Samples GitHub repo for OAuth v1, where it turned out the user's server was truncating the callback url. Since the callback url for a GAS has to be https://script.google.com/macros/d/{Script_ID}/usercallback (and the script id is nearly 60 characters long), a too-long url seems like a reasonable possibility. I swapped my redirect url for a goo.gl url pointing to the same place, and voila! the error=invalid_scope portion of the header was gone.

Obviously, I'm still far from completing my project, but I figured I would bring this issue up, in case it's something fixable on knighty's end, or in case anyone else runs into the same problem.

To wrap up our chat discussion, I believe this is an issue with Google Apps specifically. We have no limit on redirect URIs and the fact that it seems to be a problem with the OAuth 1 path points to it being their end.