i have a very weird problem. I'm using the Google authentication API since moree than one month now and all working perfect. But now out of the sudden, my users can't get refresh token anymore. My app is on testing state, so i thought the refreesh token my testing user was having is expired after 7 days, but then i tried to get another refresh token by doing thee authorization from the beginning to receive a code that i use to get a refresh tokn. But no chance i'm only receiving this response back: Status code 400 { "error": "invalid_grant", "error_description": "Bad Request" }
Thank you very much for your help!
A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
To stop your refresh tokens from expiring set it to production.
Why cant you refresh after seven days
What i am writing here is my opinion only from experience. There is no documented proof of any of this from googles side.
After seven days your refresh token will expire, but the question is how is google expiring these refresh tokens. From what i can see they are not using the normal method of expiring the refresh token. They are in fact revoking the users granted access on the google account. So the all of the refresh tokens granted will stop working at once.
So why are you having issues with the client library. Normally the way the client libraries were originally designed. if the refresh token expired it would prompt the user to authorize the app again. This does not happen with the seven day revoke method. IMO because the error message is different, and the libraries have not been updated to take this into account, and prompt for access again. The only way to fix it is to delete the old stored refresh token and request a new one.
So your not able to receive new refresh tokens because your code is stuck with the old one. Make sure to hard delete any old refresh tokens you have stored. They wont work and the library doesnt understand how to delete them on its own.
Related
I am setting up my Google Oauth 2.0 client credentials but it is getting expired in 2-3 weeks. Can anyone tell from we can set expiration date of credentials in google developer console portal.
Credentials are for desktop app.
I have tried exploring all the details in google console but can not find option of setting up expiration date.
The primary thing with Oauth that makes it secure is the fact that tokens expire.
An access token for example will expire after an hour so if anyone gets it they can only cause damage for a limited amount of time.
Refresh tokens can be used to request a new access token when the access token expires.
Refresh tokens can expire for a number of reasons
Your app is in the testing phase and there for the refresh token will expire after an hour.
your using a gmail scope and the user changes their password.
The user authorizes your application once you get a refresh token, they authorize it again and you get a second refresh token. This can continue with up to 50 outstanding refresh tokens after that the first one will expire. Always remember to store the latest refresh token.
There is no way to extend the life of any of the tokens this is configured by google in their authorization server.
There is a process to obtain a refresh token via OAuth authentication for Google API, and then obtain an access token from the refresh token to validate the receipt.
The other day the refresh token suddenly expired and the receipt validation failed. Our service stopped processing billing.
Below is the error when it failed.
{
"error": "invalid_grant",
"error_description": "Token has been expired or revoked."
}
I thought refresh tokens reset their expiration date each time they are used, so why did they expire?
I don't think the following rules apply.
You must write your code to anticipate the possibility that a granted refresh token might no longer work. these reasons:
The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
The user belongs to a Google Cloud Platform organization that has session control policies in effect.
(https://developers.google.com/identity/protocols/oauth2)
I want to use the refresh token forever.
Thank you in advance.
Refresh tokens do not expire by design there are a few things that can cause them to expire as you have listed. However there is one you have not listed.
If you check the docs for Experation you will find it also says.
If your app is in testing set it to production and your refresh token will stop expiring.
So as long as your app is in production, the user does not revoke your access, and they have less then 50 outstanding refresh tokens for that user, and you have used it at least once in the last six months. (gmail scope the user does not change their password). The refresh token should not be expiring.
That being said your system should be designed to handle a refresh token expiring and request access of the user again. or notifying the admin if this is a backend system.
Thank you for this interesting conversation. It looks like in my case, after having got an access_token and a refresh_token, which I use regulary to invoke the Gmail API, it no longer works after 6 months.
Could someone point me to a code example in Node, showing how to update the tokens on a regular basis? (I store them in a database, and wonder how to update the record appropriately via the google.auth.OAuth2 API).
I have made hundreds of searches but could not find anything else than "you should refresh your tokens" :)
It looks like
oauth2Client.on('tokens', (tokens) => {
logger.info("tokens=%o", tokens)
})
is only invoked once when establishing the connection, so it will not help.
I have also tried:
let x = await oauth2Client.refreshToken(database_refresh_token)
let refreshedToken = x.tokens.access_token
To store the new refreshed token in the database, but this does not help after 6 months. FYI, thanks to oauth2Client.getTokenInfo(refreshedToken) I can see that refreshedToken expires in 1 hour.
Finally, is there a way to test, without having to wait for 6 months?
Many thanks!
By last answer...
It means we can used one refresh token for 6 month. right ?
And after 6 month we have to update refresh token. right ?
There is API on Laravel, which uses Laravel Passport for authentication. All worked well with the default settings. Then we decided to change the lifetime of the access token to 1 day and 1 month accordingly. It caused a problem with the refresh token.
Example: Access token is expired and the app sends the refresh token request to API. Then the app loses internet connection and can't get a new token. (Server sends new tokens but the app is unavailable). After the internet connection returned, the app sends a new refresh request but get 401. So apps need to get new code from API to authenticate the user. I don't think it's a good idea to force the user to login every day.
Any suggestions? Maybe there is some way like "handshake" to solve that problem? I mean refresh token only after confirmation the app got new tokens.
If I correctly understand your question, you're saying that you initially have an Access Token1, Refresh Token1 pair, and when the Access Token1 expired you try to request a new Access Token using the Refresh Token1.
Now, for some reason, you fail to receive this new Access Token2, Refresh Token2 pair, so what does the user do?. Well, you see this from the Consumer's point of view. If you see the same scenario from the Oauth2 Server's point of view.
The Server does not know if you failed to receive the token or you received it and failed to save. The server's job was to generate a new access token based on your valid refresh token. And as soon as it creates a new access token, it invalidates the old refresh token. This is the standard Oauth2 implementation.
You may try to make it so that the Old refresh token is not immediately revoked on new access token generation. But this introduces a possibility of replay attacks.
Hence, The standard practice is to have the User log-in again.
I have a Google OAuth2 client approved by Google, which provides offline access to user's account with required scopes. My backend application stores and uses the refresh token to refresh the access tokens as and when needed.
Lately, we are seeing that our token refresh attempt is met with an error from Google with:
{
"error" : "invalid_grant",
"error_description" : "Token has been expired or revoked."
}
There is no additional information.
Nothing has changed in my Google OAuth client. The user has not changed account password. The user has not revoked access to my client.
What could be the reason for suddenly getting such errors for token refresh? And how do I avoid this in future (if possible)?
Are you inadvertently asking for the refresh token multiple times? There is a limit of approx. 25 refresh tokens that an account can have extant.
I had same issue, because I run my code in 2 different files and what I did remove token.pickle file, re-run it again.
I am curious if I can reset user sessions that is generated from mobile-end or front-end in a server.
My friend is working on iOS development, but he is having difficult time to make reset session function in his end. As a workaround, what I am thinking is (event if it is very dangerous and insecure approach...) he will send a refresh token and generate new tokens. New tokens will be fed back to the mobile.
However, this doesn't work. The error I am facing is "Invalid Refresh Token". What I am guessing is since it is generated from mobile end, the tokens cannot be generated in other sources, in this case the server.
Is this approach blocked by AWS side? Thanks.
If you are using Amazon Cognito, the globalSignOut and adminUserGlobalSignOut to invalidate issued access and refresh tokens for a user.