We have Google OAuth2 Web client at Google API Console
With the help of Oauth Web Client, we get Refresh token for each Users ( By using web Authentication & Concert Screen )
We store received Refresh Token to database and, System user this user specific Refresh token to create Google Calendar Event automatically on behalf of logged in user ( We have around 1000 Users)
Problem : Since couple of days Refresh Token has been expired automatically and getting following error.
{
"error": "invalid_grant",
"error_description": "Token has been expired or revoked."
}
When user do re-registration System receive new Refresh token and everything again start working, however after some time ( no sure but in less then day or two ) again they start getting Token has been expired or revoked error.
Is there any Limit has been expose on Refresh Token ?
Is there any Limit to get Refresh Token by using Same API Client? ( We have individual 1000 Gsuit or Gmail user who have registered for Refresh Token individually using by using their person Gmail or Gsuit Account)
Is there any API change to get long live Refresh token ?
Regards,
DP
Your Questions
Is there any Limit has been expose on Refresh Token ?
You can authorize a user and get a refresh token, then authorize the same user again and get a second refresh token. The user now has two outstanding refresh tokens and both work. You can do this up to fifty times and have fifty outstanding refresh tokens for this user. Once you do it again the first one will expire.
You can have fifty out standing refresh tokens for a user so if you are re authorizing them make sure that you are replacing the one stored in your database with the newest refresh token.
Is there any Limit to get Refresh Token by using Same API Client? ( We have individual 1000 Gsuit or Gmail user who have registered for Refresh Token individually using by using their person Gmail or Gsuit Account)
Your client can authorize as many users as you like. There is no limit to the number of users you system can have.
Is there any API change to get long live Refresh token ?
Not that i am aware of
The error message
There are a couple of things that could be happening here.
The first being that the user has the power to revoike your access though the their google account. It looks to me like this may be what is happening.
The second issue is the fact that its October and Google daylight savings time is kicking in. Several years ago there was an issue with daylight savings time expiring tokens.
Third issue is that if your refresh token has not been used in the last six months it will be expired by google.
The fact of the matter is that refresh tokens are not perfect due to the above reasons. Your system should be designed to handle this if the refresh token fails then simply set it up to ask the user for access again.
{ "error": "invalid_grant", "error_description": "Token has been expired or revoked." }
Related
I have a webapp which lets the user OAuth 2.0 to youtube & after exchanging the authorization code I can capture the access_token & refresh_token into my database .
Can these tokens be maliciously used later by me , say after 2 weeks , to delete the poor user's video using /yoube/v3/delete or some other operation like insert badly formed captions ..
& if this could be done isn't this a security breach cause the poor used who has accidentally consent ouath into my application & got his access_token & refresh_token & other info captureded by my back-end
So basically when someone consents ouath's to an application ...the user is now on the mercy of the application...like information could be stored or deleted or anything
If yes? what can the poor user do to unlink & how would the user even know that video's are getting deleted by someone else ?
Access tokens are short lived tokens which will work for one hour after that time you will need to use the refresh token to request a new access token.
Your refresh token should not expire except.
if it has not been used for six months.
If a user authenticates your application they get a new refresh token, If they authenticate your application again then will get another refresh token. You can have up to 50 outstanding refresh tokens all will continue to work until you go over that number then the first one will expire.
The user can also revoke your access though their account at any time.
Don't bother storing the access token just store the refresh token, and make sure that if your user authenticates your application again that you replace the refresh token in your database with the new one.
If a user grants your application offline access which will give you a refresh token. Yes they are at the mercy of your application which can do what ever you have been granted access when ever.
Note: it can take a while to go through the verification process with the YouTube API start early.
We have built an app that asks for access to the YouTube API. We are not authorized yet, but are using it with our own accounts. We have the following problem:
While some of our Gmail accounts grant us access, some others fail even though on their third party security settings, you can see that they have granted us access. It seems that they have removed us from their lists, even though they haven't and we know that since these are our accounts.
Has anyone seen something like that?
Is getting our app authorized going to solve this?
Is there any other solution that you could offer?
Thanks for taking the time
my error message
status code: 400, response { data: { error: 'invalid_grant', error_description: 'Token has been expired or revoked.' } } }
Token has been expired or revoked.
Normally means that the refresh token you are using is no longer valid and you need to reauthenticate your user. The easiest way to test if i am right is to do just that force a reauth on the user.
causes for refresh token experation.
Refresh tokens while long lived they can expire for several reasons.
The user goes into their google account and revokes your applications access.
The refresh token hasn't been used in a while normally 3 -6 months google will automatically expire it.
You have reached the maximum number of outstanding refresh tokens for a user the oldest one will be expired.
It can also be related to the time on your system being out of sync with NTP (note i havent seen this error in years)
Let me try and explain number three a bit more. When a user authenticates your application you are given a refresh token. When the user authenticates your application again you are given an other refresh token. Both tokens will work as expected. You can continue this until you have up to 50 outstanding refresh tokens once you hit number 50 the first and oldest one will be expired. This is why it is important to always save new refresh tokens over the old one.
I have two accounts for docusign, live and demo. The demo one hasn't been used in a while, in fact the last time a refresh token was created was the 14th November. I'm therefore assuming it has expired and is potentially stopping me from getting a new one.
When I make a request I get the invalid_grant error. The same code (with testing credentials) works fine with my live account which requests a live token every couple of days or so. It also did work fine on with the testing credentials until it wasn't used for a prolonged period.
I assumed I need to get hold of a new refresh token but without a valid previous token I'm not sure how to go about this.
The following applies to DocuSign's OAuth2 authentication service:
When you use the refresh token to get a new access token, you also get a new refresh token. But see the following:
If your original OAuth request only included the signature scope then the expiration date of the new refresh token will be the same as the original refresh token (30 days).
However, if you request both the signature and extended scopes, then your new refresh token will expire 30 days from the time that you refreshed it.
So the way you can continue to get a new access token without requiring the user to authenticate again is:
User authenticates with the signature and extended scopes. Your app exchanges the auth code for an access token (good for 8 hours) and a refresh token (good for 30 days).
Within the 30 day period, refresh the access token. This also gives you a new refresh token, good for a new 30 day period.
Rinse and repeat. As long as you get a new refresh token at least every 30 days, you can keep going forever.
Caveat: For InfoSec reasons, the end user, their admin, and/or DocuSign might invalidate all existing refresh tokens. This is an unusual corner case but can happen. Easiest way to test the corner case: remove the user's consent for the app.
You cannot refresh a Refresh Token if the Refresh Token has expired or otherwise been revoked. You must repeat the authentication flow to obtain a new Refresh Token.
I've seen this issue in a lot of questions, but so far, none seem to apply to my situation.
The problem we are having is we are getting an "invalid_grant" error when we attempt to get an access token. This only happens to some accounts, but when it does happen, in every case I looked at, the refresh token worked before, and now has stopped working. This is happening far to frequently for it to be customers revoking access (seems to be nearly 20% of the channels we manage in the last couple weeks have been invalidated).
As a note, we have a backend process that uploads the videos to our customer's YouTube channels.
We use OAuth2 to get a refresh token, here are the parameters we send...
scope = "https://www.googleapis.com/auth/youtube",
client_id = "",
response_type = "code",
access_type = "offline",
approval_prompt = "force",
redirect_uri = "http://www.us.com/OAuth/YouTube"
NOTE: for client_id we use the email address that is in the Google API manager (or was, I just looked and it is no longer there). We used to use the client ID from this page, but that caused us problems as well. Did this change? Should we be using the client ID from this page now?
We exchange the code that is returned for a refresh and access token and store the refresh token in our database.
The backend process exchanges the refresh token for an access token and this is where we seem to be getting the "invalid_grant" error.
Guaranteed only a single access token for the channel is in use at any time (25 limit doesn't apply). We don't store the access token, we get a fresh one every time we process a channel.
Any ideas what might be happening? Something to look for? See note above about client ID. This might have something to do with it, but I'm hesitant to try it since using the "Client ID" from the API manager caused problems before.
Guaranteed only a single access token for the channel is in use at any time (25 limit doesn't apply). We don't store the access token, we get a fresh one every time we process a channel.
This statement is incorrect: Access tokens can be used as many times as you need while they are still good (for an hour).
Answer:
"invalid_grant" basically means that your refresh token no longer works. The only solution to the problem is to request access again and get a new one. The question should be why is it expiring in the first place.
Assuming that the user did not revoke access, and that the refresh token has been used to request a new access token within the last six months. This is probably an issue with it being over written.
When a user authenticates your application you are given a refresh token. This refresh token is associated to the client id of your application and the user who has just authenticated. If said user then authenticates your application again you will get another refresh token. Again this refresh token is associated to the user and your projects client id. Both of these refresh tokens will work. Your user can keep doing this up to 25 (Note I think the changed it recently to 50 but I haven't tested it with all APIs yet) once they have hit this magic number the first refresh token will expired and if you try and use it you will get an invalid grant.
The only solution is then to just request authentication again. It is important to always save the most recent refresh token that your user has granted your application. In the event (like me) you have an application that is stored on a number of servers all requiring authentication. Your going to have to tell them not to refresh it to many times or they will have to go back and reauthenticate the first one that they expired.
If this is happening with ALL of your requests. You can also check that you server is sync with (NTP) and that you are sending the payload of your request in the post field. Not attached to the authentication end point like a HTTP GET (been there done that).
Here are the possible reasons why a token stops working and becomes invalid:
The user has revoked access.
The token has not been used for six months.
The user changed passwords and the token contains Gmail scopes.
The user account has exceeded a certain number of token requests.
As you can see, it's not recommended that you request a fresh one every time you process a channel. As also mentioned in Token expiration:
If you need to authorize multiple programs, machines, or devices, one workaround is to limit the number of clients that you authorize per user account to 15 or 20. If you are a Google Apps admin, you can create additional admin users and use them to authorize some of the clients.
With regards to the use of client_ID, it is usually needed to call the sign-in API as mentioned in Creating a Google API Console project and client ID.
And lastly, this Google Groups discussion - OAuth 2.0 400 - error:invalid_grant and ideas? might also help.
i'm writing an application which uploads files to the Box-API, for some clients but i'm having a problem i don't understand (I've laready opened a ticket for that but maybe you'll have some answers): The refresh token is expiring in almost one hour and sometimes less time.
I've no idea why this is happening and i though the refresh token was lasting one month, but i've installe the application on my client machine, the client authorized it in his box account, but after only half an hour he was propt to authorize it again cause the refresh token was "invalid".
What should i think?
I'm updating the refresh token everytime i get a new access token, so there shouldn't be problem with that. SHould i do otherwise? ANy idea?
There are two tokens:
the authentication token, which signs the HTTP request, is valid for 1 hour.
the refresh token, which is used to get a new authentication token, is valid for 60 days or until it is used.