Google OAuth 403 when refreshing access token

Question

In a UWP app, I first get a refresh token and an access token using the following endpoint :

string tokenRequestBody = string.Format("code={0}&redirect_uri={1}&client_id={2}&scope=&grant_type=authorization_code",
                code,
                System.Uri.EscapeDataString(redirectURI),
                clientID
                );
StringContent content = new StringContent(tokenRequestBody, Encoding.UTF8, "application/x-www-form-urlencoded");
HttpResponseMessage response = new HttpClient().PostAsync("https://www.googleapis.com/oauth2/v4/token", content).Result;

At this point in the response, i have a refresh token and a fully functional 1 hour access token. This is working fine.

Now i want to use the refresh token to renew the access token :

string tokenRequestBody = string.Format("client_id={0}&refresh_token={1}&grant_type=refresh_token", clientID, _refreshToken);
StringContent body = new StringContent(tokenRequestBody, Encoding.UTF8, "application/x-www-form-urlencoded");

HttpResponseMessage tokenResponse = new HttpClient().PostAsync("https://www.googleapis.com/oauth2/v4/token", body).Result;

Instead of getting a new access token, i have the following error :

[{"domain":"usageLimits","reason":"dailyLimitExceededUnreg","message":"Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup.","extendedHelp":"https://code.google.com/apis/console"}],"code":403,"message":"Daily Limit for Unauthenticated Use Exceeded. Continued use requires signup."}

What am i missing here ?

Thanks for the help.

What Google API service are you trying to use? – Drewness Feb 13 '18 at 21:32 — Drewness, Feb 13 '18 at 21:32

score 0 · Answer 1 · answered Feb 13 '18 at 21:45

0

You need to include the appropriate scopes for Google Drive. You are not including any as seen in your code below. This will prevent the issuing of access tokens.

string tokenRequestBody = string.Format(...&scope=...);

I would also recommend checking out the OAuth Playground. Very useful for developers building applications.

answered Feb 13 '18 at 21:45

Drewness

5,004
4
32
50

scopes are required when you first redirect to Google sign in page. Then exchanging tokens don't require them as indicated in the documentation (https://developers.google.com/identity/protocols/OAuth2WebServer#offline). And the access token does work, i just can't renew it using an access token. I'll take a look at the playground, it might help to diagnose my issue. – Jérôme S. Feb 13 '18 at 22:23
They are not required because they are part of the token at that point. You renew an access token with a refresh token, not an access token. – Drewness Feb 13 '18 at 23:00
Yes sorry mistyped, i meant refresh token like in the OP. Messing with the playground, it seems i have two differences : i don't have a "secret_client" and it's nowhere to be found (but it seems optional https://stackoverflow.com/questions/11295661/google-apis-console-missing-client-secret), and when you renew the access token through the playground, the query is authorized with the current access token. Which seems stupid since my token may be expired at this point. So i don't know what to do. – Jérôme S. Feb 14 '18 at 08:31

score 0 · Accepted Answer · answered Feb 15 '18 at 18:36

Well, i'm amazingly stupid.

Nothing at all is wrong with the above code. I just parsed the wrong response.

Basically i did :

var dataResponse = getSomeStuffFromRestApi();
if (api authorization fails)
{
  var tokenResponse = getATokenFromRestApi();
  lookForTokenInResponse(dataResponse); // should've been tokenResponse.............
}

Sorry for the waste of time. At least there is some working code for reference now....

Google OAuth 403 when refreshing access token

2 Answers2

Linked