Google API OAuth2 refresh tokens abruptly revoked - google-api

I've been using the Google API to update one of my Chrome plugins on a weekly basis. This has now happened 3 or 4 times now: The refresh token I acquire will work properly for up to two weeks (only being used once per week), then the third week, returning an error saying that my token has been expired or revoked.
Given that I'm the only user with access to these tokens, I know that there isn't any spamming, and I know that nobody would be authorized to revoke the tokens on my end.
Please advise. Thanks!

There are serval reasons why an access token can expire.
the user revoked your access.
depending upon which scope you are using if the user changes their password it can revoke all out standing refresh tokens (mostly gmail I think)
If your application is still in testing phase refresh tokens only last for two weeks you will need to move your application to production and go though the verification process. (this appears to have been a stealth change i can find no information on it)
you can have a max of 50 outstanding refresh tokens for a users account, if the user is logging in multiple times and you get a new refresh token each time make sure you are always using the newest.
Your application should always be set to request access of the user again in the event that the refresh token has expired.

I have recently worked with Google Ads API and Shopping Content API and experienced detailed behaviour of API authentication mechanics.
What i can tell for sure regarding authentication is the the following:
An Access-Token always have a life time of 60min. and then expires
An refresh-Token makes it easier to obtain a new Access-Token, since
no additional verification is needed
The lifetime of a Refresh-Token varies
it can be a 6 month or more (when the related application publishing status is released)
or just 1 week (when the related application publishing status is testing)
You can find detailed information regarding Token Expiration on the Google API Documentation https://developers.google.com/identity/protocols/oauth2#expiration
Also information regarding publishing status of your API application Token has expired or revoked - Google Ads

Related

Limits when accessing Google APIs using Service Account vs OAuth

My current application access one of the Google APIs using "3-legs" OAuth 2.0. User authorizes the app on Google consent screen, then the app requests API on behalf of the user and shows him some fancy data loaded from API. Everyday my application loads and transforms data from this API, so when the user comes next time, he sees the most relevant and actual data.
Everything works fine on the start, but as time goes, I faced two problems:
1. Query limits.
2. Token lifetime.
My question is dedicated to the second one, that I refer as "token lifetime". After some amount of time, the access token expires, and when user comes back to the app, our app obliged to send him to consent screen again. Moreover, all the time while access token has been in expired state, my app cannot load relevant data for user.
How can I solve this problem? How to continue lifetime of access/refresh tokens? Would Service account help? Would Service account work for Google Search Console API for every user, or should the user be a G Suite user inside my domain or what?
These questions are completely unclear from the official documentation here and from the Search Console API documentation.
If you have past experience with Google's APIs, please help me!
Thank you
When you use OAuth with user-consent, you do not need to prompt the user for consent repeatedly.
[a] If your usecase is entirely online and you want to be able to request a token each time the user visits your app, use the Google Sign In library or see this documentation for client-side apps.
[b] If your usecase is that you want to be able to obtain access tokens even when the user is not present, then you need to request an authorization code and store your refresh token. Your refresh tokens are longer-lived tokens and can be exchanged periodically for access tokens.

How can unused/orphaned Google OAuth2 token be removed?

We have an app that over time obtained and worked with Google OAuth2 tokens. Now it got the 'Unverified app' status allowing < 100 installs. We know we have < 100 users with active access tokens but the Google OAuth team tells us there are > 100 outstanding access tokens.
How can we revoke those unused/orphaned tokens that our app does not track anymore? We can't issue the 'revoke' requests because we don't know those tokens. Is there a way for an app to list all outstanding oauth2 tokens or to revoke all its tokens?
Thank you
Such an access token has a lifetime of about an hour - you probably mean app authorizations aka "Third-party sites & apps with access to your account", which last until being revoked by the user. So generally there's not much to do about it, unless suggesting the users to revoke the access manually. Changing the name of the package might be the only option available on your side, to get rid of them.
Authorized users
First off you don't have unused/orphaned tokens not really. What you have is users who have granted your application permission to access their data. There is no way for you to see exactly who these users are. There is no way to remove their granted consent unless you have refresh tokens for each of them saved in your system some place. If you do you could call a revoke on all of those refresh tokens and it should / might release a few of your 100 installs. This is just a guess i have never tried it.
curl -H "Content-type:application/x-www-form-urlencoded" \
https://accounts.google.com/o/oauth2/revoke?token={token}
application verification
The issue you are having is that your application is unverified. Google has placed a limit of 100 installs on unverified applications during the development process this way you can test your application before it goes live. What you should do is go to Google developer console and request that your application be Verified.
An unverified app is an app or Apps Script that requests a sensitive or restricted OAuth scope, but hasn't gone through the Google verification process. Users of unverified apps or your test builds might get warnings based on the OAuth scopes you're using. This is to protect users and their data from deceptive apps.
Once your application has been verified you will no longer be under the 100 installs limitation. You need to go though the verification process.

Google API: refresh tokens suddenly stopped working ("invalid_grant")

All accesses (a dozen) stopped working returning the error "invalid_grant".
I have revoked the application access for one of the user, got a new one, and this access is now working again with a new refresh token.
I wonder what might have happened? I doubt all users changed their password (I read that this can revoked access) and refresh tokens don't have an expire limite.
Everything was working fine until now.
Refresh tokens should not expire if a user changes there password. That is kind of the point with a refresh token.
Refresh tokens can expire if
the refresh token hasn't been used for six months to get a new access token.
if the user in question revokes access via their Google Account.
To many refresh tokens. When a user authenticate your application you get a refresh token associated with your project and said user. If the user authenticates your application again you get another refresh token both will work. You can keep doing this until you reach the magic number of 25 at which time the first refresh token will automatically expire.
Number three could be your problem if you are not ensuring that you are always saving the most resent refresh token. Or if your users have multiple versions of your application running.
If you are having an issues with all of your users I think the problem could be that, Invalid grant can also be the result of Your server’s clock is not in sync with NTP.

Yammer Token Expiring

We are using the following method to generate a token to be used to make calls to the Yammer data export and REST apis. https://developer.yammer.com/introduction/
The token looks to be working for the most part, but it will expire ever 2 weeks for some Yammer instances. However, according to the documentation, I thought that the tokens generated in this way are not supposed to expire.
Are there any specific reason why tokens would be expiring every 2 weeks? I know that the user is not being deleted or deactivated.
Thanks!
The access tokens are long lived and I have being using mine for about 4 months now. You want to double check to ensure that the user did not revoke the app's access from the "My Applications" page.

Is there any way to change the default validity period of a refresh token in windows azure ACS

Is there a way to change the validity period of a refresh token within Windows Azure Access Control Service. Based on the following article, refresh tokens last a year but I cannot find a way to change that, either on the portal or via the management service. I am aware of the token time out when crating a relying party application but this, as I understand it, refers to the time out of the access token not the refresh token.
Any help would be greatly appreciated.
Many Thanks,
User1426145
With OAuth 2.0, the refresh token has expiration time sent along with it and as you described in case of above the limit is about ONE year. You can not change the refresh token validity period once it is issued so you have two option to maintain it alive. Trying to keep track of its validity or when you hit INVALID_TOKEN error, you can to call the same refresh token service to receive a brand new refresh token again.

Resources