2

I've got a problem with Google API and refresh token.

return axios.post("https://accounts.google.com/o/oauth2/token", {
   client_id: clientId,
   client_secret: clientSecret,
   refresh_token: querystring.unescape(refresh_token),
   grant_type: "refresh_token",
})
.then((response) => {
   return response.data.access_token;
})
.catch((err) => console.log("error GetTokenWithRefresh: ", err.response))

This works fine. I get my new token. (I use this request for tests each time I need to write into excel document). But after a certain time, my refresh_token becomes invalid

{
    "error": "invalid_grant",
    "error_description": "Token has been expired or revoked."
}

My google account used to grant access to app is far under the limit of refresh tokens. It still has app in authorised applications in security on my Google account. It's as if the refresh_token had the same behavior as a classic token.

If you have any idea where the problem may be coming from, I would be very grateful!

Have a nice day !

Paul Cartau
  • 25
  • 4
  • Your using Javascript how did you even get a refresh token? implicit flow doesn't return a refresh token. – Linda Lawton - DaImTo Aug 20 '20 at 11:09
  • 1
    @DaImTo you can ask for a refresh token by asking offline access in your query (see this thread https://stackoverflow.com/questions/10827920/not-receiving-google-oauth-refresh-token) – Sydney C. Aug 20 '20 at 12:04
  • @SydneyC. You know that answer is from 2012 right? If OP is using a client sided programming language (Javascript) they are using the Implicit flow. The implicit grant flow does not issue refresh tokens, mostly for security reasons. A refresh token isn't as narrowly scoped as access tokens, granting far more power hence inflicting far more damage in case it is leaked out. – Linda Lawton - DaImTo Aug 20 '20 at 12:21
  • @DalmTo Thx for your answer. Then what I have to do if I don't want my user to relog each time my token expires ? Basically I want my user to accept app once then I can update an excel everytime I need to – Paul Cartau Aug 20 '20 at 12:27
  • Edit: that's backend request – Paul Cartau Aug 20 '20 at 12:44

1 Answers1

1

That's not a problem - it is standard OAuth behaviour, where you first configure lifetimes, eg:

  • Access token lasts 60 minutes
  • Refresh token lasts for 12 hours

EXPIRY

Access token acts as a short lived API message credential - it can be renewed silently without impacting the end user. When the access token expires the caller receives a 401 HTTP status.

When a 401 is received, the client uses the refresh token to get a new access token. Eventually the refresh token also expires and the token renewal attempt returns an invalid_grant error. The user must then be redirected to re-authenticate.

VISUALISATION

Feel free to run my Online Single Page Demo App to understand how this looks. In my SPA the refresh token is wrapped in an HTTP only cookie and the access token is stored in the browser.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24