I'm having issues with Google OAuth2 in iOS; I'm getting an "invalid_grant" error. I am doing the following steps:
I created the project and Credential ( iOS app ) Google Console;
I did request the CODE;
I did request the access token (working well);
10 minutes before the expiry of the access token , I do request a refresh token.
The problem is intermittent . Sometimes the request for refresh ( refresh_token ) returns " invalid_grant " and so the access_token becomes invalid and my application just stops .
If forcing the user login to generate a new access_token and refresh_token not work. I have to revoke the permissions of the account and try again.
What I need is access to IMAP and SMTP Gmail . If I check the access_token ( https://www.googleapis.com/oauth2/v1/tokeninfo ) is active and valid , but the IMAP and SMTP denies access.
I'm actually thinking of going back to the login username and password . The service is very unstable for not having the same reaction . I'm sure I'm not bursting any limitations and been the message " invalid_grant " would at least not appropriate.
Please , any employee of Google, HELP ME !
Thank you.
I was facing this problem as well. I wasn't doing anything with IMAP, but I was getting an invalid_grant pretty frequently when trying to handle auth. Eventually I got things working using the following settings:
authentication.refreshToken = savedRefreshToken;
authentication.accessToken = savedAccessToken;
authentication.additionalTokenRequestParameters = #{#"access_type":#"offline"};
I think it was mainly that last one that did the trick. I found it somewhere in the Google documentation, but I didn't save where. Their docs are pretty messy.
Related
I'm using the google-api-client gem in my Rails project. I have omniauth and devise working, and I have users authenticate through Google.
I thought I had this going very well, until recently. I've noticed my app will throw an error when it fetches the Google Calendar API after one hour. The expiration is one hour from authentication time, and from then I get this error:
Signet::AuthorizationError (Authorization failed. Server message:
{
"error" : "invalid_grant",
"error_description" : "Token has been revoked."
}):
This is separate from invalid refresh tokens, as I do have the refresh token stored in the database. It is sending the refresh token request, which spurs that error above, with this code:
client = Google::APIClient.new(
:application_name => APP_NAME,
:application_version => APP_VERSION,
)
client.authorization.client_id = CLIENT_ID
client.authorization.client_secret = CLIENT_SECRET
client.authorization.refresh_token = user.auth_refresh_token
token_result = client.authorization.fetch_access_token!
I have been very careful as to not sign in and out of my Google accounts, so I cannot figure out why Google would send back this message. If I refresh the page after 55 minutes, all is okay. If I refresh the page after 1 hour, it complains about the access token being revoked.
Has anyone had this issue before? If so, what did you do to fix it? Was it something you had to change in Google's Developer Console?
I ended up figuring out the issue, so I thought I'd share what fixed it.
In config/initializers/devise.rb, I have:
scope: 'userinfo.profile, userinfo.email, calendar, https://www.googleapis.com/auth/gmail.readonly', prompt: 'select_account consent' }
What did it for me was the prompt: 'select_account consent' part. Asking the user for consent at each login seems to keep the refresh token up to date. When the user logs in via Google I check if there was a refresh token in the response, and if there was I save that to the database. If not, I keep their current refresh token in the database.
In all honesty, I really don't get why it was necessary for me to do this but for other users who've shared their code examples it was fine. Perhaps there was a change in the Google's OAuth2 or maybe there's a discrepancy in my method of handling the authorization.
I use this script:
https://developers.google.com/youtube/v3/code_samples/php#resumable_uploads
to upload videos to youtube. Everything works fine, but next day I have error:
An client error occurred: The OAuth 2.0 access token has expired, and a refresh token is not available. Refresh tokens are not returned for responses that were auto-approved.
I looked at some tips on how to fix this but I did not succeed. I am new to programming. Please help me fix this error.
You need to set the access type to offline which allows you to refresh the access token so you can authenticate the app without the user having to give authorization again.
Check the docs.
I can't test this now, but try the following. This isn't ideal though, you should be persisting the token somewhere.
// After "$client->setRedirectUri($redirect);" add:
$client->setAccessType('offline');
// After "$client->setAccessToken($_SESSION['token']);" add:
if ($client->isAccessTokenExpired()) {
$currentTokenData = json_decode($_SESSION['token']);
if (isset($currentTokenData->refresh_token)) {
$client->refreshToken($currentTokenData->refresh_token);
}
}
Working on my Google Glassware and everything seemed to be going fine. I tried loading it up the other day after a while of not working on it and had an OAuth error. I tried refreshing the key and even starting a new project. The Error I got has atleast changed I am now getting -
An error occurred: Error refreshing the OAuth2 token, message: '{ "error" : "unauthorized_client" }'
The code is pretty much completely based off of the PHP Quick Start. This happens when I try and authorize the app with my account. I know my information is correct for the config.php file. Any suggestions?
I think in this case , it is possible that Authorization server has not allowed to access Authorization grant type
{error: 'unauthorized client'} may be related to Authorization server settings
Grant_types it has allowed.
Reference: http://tools.ietf.org/id/draft-ietf-oauth-v2-12.html#token-errors
As of yesterday, my application is able to authenticate with google (youtube) via oAuth 2.0 the first time no problem but the 2nd time (re-authentication, same app + same user), when I exchange the requestToken for an accessToken I get an error:
error : invalid_grant
I'm using:
grant_type = authorization_code
like they suggest. What used to happen, before 2 days ago, was on re-authentication the web page would say 'you've already authenticated with this application before, would you like to grant it access again?'. What has changed or what could I be doing wrong?
I found a way to fix this (at least for us). When redirecting to the accounts.google.com/o/oauth2/auth url, we had to add both approval_prompt=force and access_type=offline. If one was missing, we got no refresh token.
This url documents all of the parameters, but says nothing about the refresh token: http://code.google.com/apis/accounts/docs/OAuth2WebServer.html
I think I may have found the answer here:
https://groups.google.com/forum/#!searchin/oauth2-dev/invalid_grant/oauth2-dev/eaOa6THER0k/z4eO-taUFxgJ
The problem was that that the "code" parameter that you need to send needs to be encoded. It will work when you set the approval_prompt to force because the return code contains URL-safe characters. However, this is not the case for the return code upon a second authorization request.
For me this fixed it, I hope it does for you as well.
I am using (OpenId+OAuth) hybrid protocol.
After I redirect user to "https://www.google.com/accounts/o8/ud" with all openid and oauth extension parameters, user is able to see login screen and services I need to access. On successfull login I receive response as following:
http://muUrl.com/...&openid.ns.ext2=http://specs.openid.net/extensions/oauth/1.0&openid.ext2.scope=http://docs.google.com/feeds/&openid.ext2.request_token=4/8GCHDIvtxhbg8gVkfYro7QIFakoB
I understand user is properly logged in and text in bold is authorized token. Then I make call for obtaining access token with all parameters except oauth_verifier as that is not available in hybrid mode. I sign base string using HMAC-SHA1 with key as "consumersecret&" (token secret is yet not available)
I get 400 bad request with signature invalid. Any help or suggestion is highly appreciated to resolve this issue.
pls see Bob and my comments.
% escaping can be an issue if you are facing same problem as mine. oauth_verifier is indeed not required in hybrid mode.