1

I've been using the Google API to update one of my Chrome plugins on a weekly basis. This has now happened 3 or 4 times now: The refresh token I acquire will work properly for up to two weeks (only being used once per week), then the third week, returning an error saying that my token has been expired or revoked.

Given that I'm the only user with access to these tokens, I know that there isn't any spamming, and I know that nobody would be authorized to revoke the tokens on my end.

Please advise. Thanks!

EGibbs87
  • 60
  • 8

2 Answers2

1

There are serval reasons why an access token can expire.

  1. the user revoked your access.
  2. depending upon which scope you are using if the user changes their password it can revoke all out standing refresh tokens (mostly gmail I think)
  3. If your application is still in testing phase refresh tokens only last for two weeks you will need to move your application to production and go though the verification process. (this appears to have been a stealth change i can find no information on it)
  4. you can have a max of 50 outstanding refresh tokens for a users account, if the user is logging in multiple times and you get a new refresh token each time make sure you are always using the newest.

Your application should always be set to request access of the user again in the event that the refresh token has expired.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • #1, 2, and 4 are definitely not possible in this case --- #3, however, I'd never heard of, and sounds like it might be exactly the issue. I'll do a little more research to see if I can find out more about it. Thanks! – EGibbs87 May 10 '21 at 11:55
  • Let me know if you find any concreate information on it. Im still doing some testing myself and i haven't been able to get any official word from my google contacts. – Linda Lawton - DaImTo May 10 '21 at 14:22
  • I can't confirm it's working yet, but I think (/hope) #3 above was really useful. I went to the dev console, where I'm typically working with the "Credentials" tab, and opened the "OAuth Consent Screen" tab. There, under the "Publishing Status" header, it was shown that my application was in testing. So I just clicked the button to move it to production. I'm pretty hopeful that that was the issue, assuming that testing creds are revoked after 2 weeks, as that exactly describes the issue I was seeing. Check back in 2-3 weeks, and I'll try to remember to update when I know for sure. – EGibbs87 May 11 '21 at 15:09
  • 1
    So after a little over a month, I feel confident enough to say that #3 was the cause. After I switched the application over to production, the token that I had already gotten expired within a week or two. After getting a new token, this time already in production, I haven't had any unexpected expirations yet. Thanks for the heads up! – EGibbs87 Jun 17 '21 at 15:01
0

I have recently worked with Google Ads API and Shopping Content API and experienced detailed behaviour of API authentication mechanics.

What i can tell for sure regarding authentication is the the following:

  • An Access-Token always have a life time of 60min. and then expires
  • An refresh-Token makes it easier to obtain a new Access-Token, since no additional verification is needed
  • The lifetime of a Refresh-Token varies
    • it can be a 6 month or more (when the related application publishing status is released)
    • or just 1 week (when the related application publishing status is testing)

You can find detailed information regarding Token Expiration on the Google API Documentation https://developers.google.com/identity/protocols/oauth2#expiration

Also information regarding publishing status of your API application Token has expired or revoked - Google Ads

samjaona
  • 46
  • 2