14

I have a Google OAuth2 client approved by Google, which provides offline access to user's account with required scopes. My backend application stores and uses the refresh token to refresh the access tokens as and when needed.

Lately, we are seeing that our token refresh attempt is met with an error from Google with:

{
    "error" : "invalid_grant",
    "error_description" : "Token has been expired or revoked."
}

There is no additional information.

Nothing has changed in my Google OAuth client. The user has not changed account password. The user has not revoked access to my client.

What could be the reason for suddenly getting such errors for token refresh? And how do I avoid this in future (if possible)?

informatik01
  • 16,038
  • 10
  • 74
  • 104
Urjit
  • 375
  • 1
  • 3
  • 12

2 Answers2

3

Are you inadvertently asking for the refresh token multiple times? There is a limit of approx. 25 refresh tokens that an account can have extant.

pinoyyid
  • 21,499
  • 14
  • 64
  • 115
  • So if I understand this right, the moment I ask for refresh token 26th time, the first refresh token I was served is invalidated, and if I continue to hold onto and try to use it I will get error. I did think of this possibility and changed my application to store the latest refresh token every time I ask for it. So I don't hold onto and using an invalidated 'old' token. – Urjit Aug 16 '18 at 02:07
  • The limit of refresh tokens has increased to 50 active token. Anyways you are right, once you reach that limit, creating a new refresh token automatically invalidates the oldest refresh token without warning, so you always need to store the latest refresh token. – Ruben Lopez Aug 16 '18 at 08:18
  • 2
    You shouldn't really be asking for a refresh token more than once. – pinoyyid Aug 16 '18 at 08:43
  • Is there any docs about the limit of refresh token? I don't find it. I doubt about it. – Lin Du Mar 06 '19 at 09:23
  • @slideshowp2 I doubt that the limit is formally documented. They key point is that if you are asking for more than 2 or 3, you should consider redesigning your application. – pinoyyid Mar 06 '19 at 12:25
1

I had same issue, because I run my code in 2 different files and what I did remove token.pickle file, re-run it again.

Bob Boroujerdi Far
  • 39
  • 6
  • This answer worked out for me. I had a pickle file so that I didn't need to authenticate myself all the time till the pickle file expires. But the error was not describing that issue. – akalanka Jan 14 '21 at 17:35