36

I am using Google's php api client. I am running through the quickstart guide for service accounts. I followed the steps perfectly (as far as I can tell). I am running into the following error:

{
   "error": "invalid_grant",
   "error_description": "Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems."
}

From what I have read the most common problem with this error is if the system time is wrong. I have triple checked that my timezone and date and time are synced with the atomic clock. I used php set timezone function to set my timezone to match my computer, but I continue to get the error. I am looking into the other part of the message that mentions the iat and exp settings, and haven't gotten anywhere yet.

Does anyone have any ideas of how I can get past this?

ajon
  • 7,868
  • 11
  • 48
  • 86
  • 4
    If on Windows WSL, update your time through ntpdate: https://askubuntu.com/questions/81293/what-is-the-command-to-update-time-and-date-from-internet – Pigmalijonas Nov 06 '20 at 14:26

11 Answers11

63

Invalid_grant error has two common causes:

  1. Your server’s clock is not in sync with NTP.

    Solution: Check the server time. If it's incorrect, fix it.

  2. The refresh token limit has been exceeded.

    Solution: Nothing you can do - they can't have more refresh tokens in use.

    Applications can request multiple refresh tokens. For example, this is useful in situations where a user wants to install an application on multiple machines. In this case, two refresh tokens are required, one for each installation. When the number of refresh tokens exceeds the limit, older tokens become invalid. If the application attempts to use an invalidated refresh token, an invalid_grant error response is returned.

    The limit for each unique pair of OAuth 2.0 client and is 50 refresh tokens (note that this limit is subject to change). If the application continues to request refresh tokens for the same Client/Account pair, once the 26th token is issued, the 1st refresh token that was previously issued will become invalid. The 27th requested refresh token would invalidate the 2nd previously issued token and so on.

Update

Applications in testing phase have their refresh tokens revoked after seven days. Go to Google cloud console for your project and under oauth2 set it to production.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • i think the refresh token limit is now 50 – Linda Lawton - DaImTo Feb 07 '20 at 11:58
  • 6
    Unbelievable, I was despaired and when I tried to simply change my computer time (it has 5(!) minutes in advance), the test that failed to run, started to work! Awesome! – Aaron Tuil Sep 02 '21 at 09:46
  • its called [clock skew](https://en.wikipedia.org/wiki/Clock_skew) if your interested. Most of the google client libraries are designed to request a new access token five minutes before the old one is due to expire. But with your clock being off its going to have issues validating it. – Linda Lawton - DaImTo Sep 02 '21 at 09:50
23

Fixed the issue for me in 2020.

  • If on Windows, right click the date and time on the lower right.
  • Click "Adjust Date/Time".
  • Click "Sync now."
minTwin
  • 1,181
  • 2
  • 21
  • 35
10

WOW!!! This ended up being something really stupid. I am running Laravel's homestead as my dev server. I mostly assumed that the clocks on my VM and local machine would be synced. At least at the time of creation. But, I went a couple weeks without using this machine, so (I'm guessing), the VMs clock wasn't running while this computer was in hibernation, or the clocks were never in sync. Regardless, the issue is that my vm's clock was about 9 days behind my system clock. That was causing the issue.

ajon
  • 7,868
  • 11
  • 48
  • 86
  • Wow, I'm using Laravel Homestead, too, and it never occurred to me that it could have a different system time. Thanks. – Ryan Mar 14 '18 at 16:12
  • I was running Vagrant test VMs. My VM was at least a day out of sync due to suspending my laptop. – ayke Jun 15 '19 at 21:31
  • My case was also too stupid... I left my VM running a program(Wind + L) when I came back this error was printed. NTP clocks were disincronized, just restard your VM – Roger Coll Jul 26 '19 at 13:11
10

I had this with WSL2 on Windows - sometimes when the laptop hibernates, the WSL time falls behind the system time.

Run sudo hwclock -s to sync.

John O'Rourke
  • 156
  • 1
  • 4
1

if you run localy, check the time zone of your computer, for me it was the problem, the best solution in this case is to set it to automatic

Ghiles Rabah
  • 11
  • 3
1

Check your system time once. It may happen that you have dual boot because of which Windows couldn't update the latest timezone. Just refresh it once again in settings and see the magic.

Don't know why that dependency but that's how it is!

Aman Bhatnagar
  • 67
  • 8
1

In Linux, I solved this problem by selecting the automatic date and time option.

Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
Fazal Ur Rehman Fazal
  • 119
  • 1
  • 8
  • I think your answer would be more helpful if you also share "how" and "where" you did that. – Rub Dec 23 '22 at 15:12
0

I found a solution by changing the time zone to that of the server:

date
Output:
Wed Apr 26 17:44:38 UTC 2017

and then:

timedatectl list-timezones
sudo timedatectl set-timezone America/New_York
Output:
Wed Apr 26 13:55:45 EDT 2017
Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
T.Bayraktar
  • 11
  • 1
0

For my case, I just need to restart my machine. (Faced the issue on vagrant VM). It's working again.

4givN
  • 2,936
  • 2
  • 22
  • 51
0

First I doubted about changing server time. Because it's only 5 minutes differences between server and my computer(network time). I've been looking for various methods related to oAuth, but I have changed the server time in case, and it works well amazingly.

Jin
  • 1
  • 1
    Could you share the various methods that you looked into? – nunop Aug 31 '21 at 09:39
  • 1
    Please add further details to expand on your answer, such as working code or documentation citations. – Community Aug 31 '21 at 09:40
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). – Paul Sep 01 '21 at 11:34
-1

The first thing to check is the date and time. But remember that the time in the execution environment of your code may differ from the system time. For example, if you are working with tests and time is mocked (in my case, I copied another test case and forgot to remove the line with mockdate npm library: MockDate.set("4/15/2022 21:30:00")

So the first thing to do is to ensure that printing the current date-time shows the actual time, e.g. echo date("m/d/Y h:i:s a", time()).

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Igor Rybak
  • 437
  • 5
  • 10