I am using Google Cloud Vision API on my Raspberry PI. It works fine when I use it on my home (on which the cloud account was first accessed) network but if I access the API from a different network it raises a token refresh error. I have synchronized the time using NTP but is of no help.
Detailed error:
oauth2client.client.HttpAccessTokenRefreshError: invalid_grant: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems.
invalid_grant: Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe.
This is caused by poor synchronisation of the computer's clock where the code was executed that had a lag of 5 minutes or more. The error means that the token is not valid and its not valid because the time on the PI is different then the actual time. I know that you say you are checking NTP but I suggest you check timezone as well.
I know this is a PI so debugging is probably limited but try outputting your id token and decryption its a jwt you should be able to see the iat and exp values. It might help you figure out what time it thinks it is.
Related
I've been working to setup Oauth communication for an auto-emailing node.js web app using nodemailer. (I don't wish to use gmail's Less Secure Apps setting).
I've taken steps to get the client id, secret, and refresh token from the oauth playground, and have set up the web app to use a stored refresh token to request new access tokens when it first loads.
It is able to send emails (for about 7 days), then I get error invalid status code 400 on client side, and/or invalid grant on server side.
Going back to google playground and getting another refresh token, then updating it in environment variables, solves this for another week. But I'd like to solve this indefinitely.
I read somewhere "A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of 'Testing' is issued a refresh token expiring in 7 days"... so last week I switched the app to "In Production" (at console.cloud.google.com) and tried having it verified with google. This week, the same issue has recurred suggesting that wasn't the right fix, or that it wasn't yet verified with google.
I don't know if this was done correctly, nor do I know if this is the true solution to this expiring/revoked refresh token, or invalid grant.
I've also come across these explanations:
The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
The client has reached a limit of 50 refresh tokens per account if it's not a service account.
(I didn't make ANY changes during the week, so...not sure why these would have changed)
Is the issue the refresh token?
Or the status of the application?
Would it be dns/cname/cloudflare server issues?
For those who have the same issue in the future:
It turned out that google verification wasn't necessary.
It seems like the refresh token expiring after a week or 7 days was due to the placement of the oauth2Client.setCredentials() function call and accessToken variable.
Calling setCredentials() and obtaining the access token INSIDE the SendEmail() function (at runtime, just before sending email, rather than at application start/spinup time) seemed like it enabled the code to more dynamically generate the tokens it needed. After 12 days, it still seems like its working so I'd call this a success.
My guess at why it wasn't working before was because setting credentials outside of a function meant that code only ran once on server/application startup. It would then store the obtained access token in a const.
The access token would eventually expire, and even if called again/later inside of a function to obtain a new access token, it would be unable to change the value of a const property/variable, and so the call would inevitably fail after a week when it failed to renew.
Hope this helps anyone else having a similar issue.
My apologies for the run-on sentences.
There are a lot of causes for invalid grant it sounds to me like your refresh token is expiring.
If your project on google developer console is still in testing, has not been moved to published and has not gone though the google application verification process then refresh tokens have a max two week life span after which they will expire which may explain your invalid grant. The thing is there is no official word from google that this is happening its just what a lot of developers are seeing these days.
Another one is with gmail scopes if the user changes their password this will also cause the refresh token to expire.
I’m implementing APNS Token based authentication using pushy Java library right now but there is one unclear part in Apple’s and Pushy’s documentions.
I will have several severs sending push notifications with pushy using Token based authentication.
What’s troubling me is the part in Apple documentation stating:
For security, APNs requires you to refresh your token regularly. Refresh your token no more than once every 20 minutes and no less than once every 60 minutes. APNs rejects any request whose token contains a timestamp that is more than one hour old. Similarly, APNs reports an error if you recreate your tokens more than once every 20 minutes.
So the part that I’m afraid is the “no more than once every 20 minutes”. If I have let’s say 4 severs and each generate a token every 50 minutes using the same signing key, will I be constantly in this limit? Unless this limit applies to each TLS connection maybe.
Do I have to build a way to share tokens across servers, if so can Pushy be configured with a token directly? or should I use a different signing key for each server?
I have an issue to configuring Redhat Single SigOn (RHSSO) or Keycloak token expiration in seconds, about 30 seconds.
I just found the configuration in minutes. There is a way to adjust it to seconds?
From the Keycloak Admin Console it is not possible; Keycloak allows to specify the access token expiration time in Minutes, Hours or Days, but not in seconds:
Albeit, when one requests a token, the expiration time is display in seconds, namely:
{"access_token":"...","expires_in":60,"...}
The least amount of time that you can set via Admin Console is 1 minute. To be honest, I fail to see what would be the great benefit of having 30 seconds instead of 1 minute.
In the Admin Console, if one tries to specify 0.1 (or 0,1) minutes an error is displayed
Now that being said, it seems that you can use the Rest Full API to get around that restriction. First, request a token on behalf of the admin, extract its access token (let us called $ACCESS_TOKEN). And then call the following endpoint:
PUT <KEYCLOAK_HOST>/auth/admin/realms/<REALM_NAME>
with the following data
'{"accessTokenLifespan":30}'
Now if you request a token for a client on the Realm REALM_NAME you will get the following:
{"access_token":"...","expires_in":30,"...}
30 seconds as expiration time for the access token.
Now, I have not tested this, so it is up to you to find out if everything still works as it should.
I recently switched to the Google+ Sign in OAuth2 hybrid approach.
When the request code is exchanged for the access token, the expiry time and created time is sent back along with the access token in seconds.
I need to know the sent timezone is. I need this to make comparison with my server's time and be able to deduce if access token has actually expired.
What's the timezone or how do I determine it?
The token bundle sent back does not include an actual expiration time, but it does contain the number of seconds for the expected life of the token. If a time is being attached to it, it is being attached by the local library.
That said - you can't necessarily trust this number. There are a number of reasons why the token may have been revoked or is treated as no longer valid. So while you can use it as an estimate of when you'll need to get a new one - you should also handle the case where you use a token and you get an authentication error, forcing you to refresh the token and try again.
My bad.
I just went through the Google PHP APi client library. Only to realize the created field was set within the library (on my server) in Google_Auth_OAuth2's authenticate method.
So it is safe to use $client->isAccessTokenExpired() instead to try to do one's computation. Works with local time (I guess :))
Thank you.
One month ago I developed a windows service which calls some Google anaytics APIs and the code is scheduled to execute each 15 minutes. It has worked properly till 5 days ago when I checked the event viewer I saw that the service raised unauthorized access (401) exception in each connection to Google API. When I restarted the service it again started working properly.
What could be the reason?
Regards
Most likely, you're obtaining an authentication token on startup and using that for all subsequent requests. Authentication tokens do expire eventually; when you get a 401, you should re-authenticate and get a new token.
This answer assumes you are using one of the authentication mechanisms such as AuthSub which require you to "sign" requests. Embedded in this signature is a timestamp. If you computer does not have the correct time it will fail.
With this said, could it be a Daylight Savings issue? Does the computer you are running it on have the "Windows Patch" to address the changes when daylight savings takes place (more info).
I had a problem like this too just this past weekend. I think modifying the "Automatically adjust clock for Daylight Saving Time" setting fixed it.
Maybe when you restarted the Service "corrected" itself for the time.