Getting access token from refresh token failing with invalid_grant error, and Bad Request OR Token has been expired or revoked as error description

Question

Using Java OAuth2 client library: scribe 1.2.0 (https://github.com/scribejava/scribejava)

I am able to get refresh token from the authorization code (i.e; by making POST call to https://accounts.google.com/o/oauth2/token with client_id, client_secret, code, scope, grant_type (authorization_code), redirect_uri parameters). And I have persisted the refresh token in DB. And we support drive and calendar scopes => so, I do store two refresh token per user (email)

And then clients will be invoking API to get access token (then I am making POST call to https://accounts.google.com/o/oauth2/token with refresh_token, grant_type (refresh_token), client_id and client_secret). And the call is successful. i.e; happy normal path works.

But eventually getting new access token from refresh token is failing with invalid_grant error code (with Bad Request OR Token has been expired or revoked as errors) (like in 2 days or 3 days etc)

Please do note that the refresh token is not revoked or invalidated explicitly by user or code. Password is not changed. Code is not changed. Client ID and secrets didn't change. I am kind of lost.

Questions

Since refresh token supposed to be a long lasting token, why my application is not able to get new access token from refresh token? Its just failing in like in 2 to 3 days - and its happening regularly in stage and production environments.
Is storing two refresh tokens based on scope (drive and calendar) - per user (email) problem (i.e; as soon as second refresh token is issued the previous refresh token expire)? [Shouldn't be the case - I do know there are limitations per user and client, per user for all clients. But, 2 is too low to reach that limit.]

Answer Finally was able to resolve it, please see the answer below comment(s) - its related to having two refresh tokens of same email for different scopes, and invalidating one of them.

Getting access token from Refresh token - PostMan

Getting refresh token from authorization code - PostMan

Relevent questions: Google token refresh returns "Token has been expired or revoked." Since couple of days Refresh token has been automatically expired

I hope this [link](https://developers.google.com/youtube/v3/guides/authentication#installed-apps) work for you. — Vivek Jain, May 21 '21 at 06:33
@VivekJain - that's a snapshot from the postman and the passing parameters as payload for POST request is working. Am able to get access tokens for my dev environment. — Dreamer, May 21 '21 at 06:44

score 3 · Answer 1 · answered May 21 '21 at 08:11

Changed password

There are serval reasons why your refresh token maybe expiring. The first one we can lockout as the cause is the user changing their password if you are using a gmail scope and the user changes their password this will cause all outstanding refresh tokens to expire.

User revoked access

If the user revokes your access directly though their Google account this will also revoke your refresh token.

Application status.

Now is your application still in testing on Google cloud console? Have you moved it to published has it been though the verification process? If not then your refresh tokens will probably be expiring after about two weeks although the time frame may have changed as this seams to be something that Google has been working on for the last serval months and there is no official word on it.

Refresh access token gives refresh token.

Another cause which actually could be the case, when you refresh the access token does it return a new refresh token. sometimes I will do this. Always check that this is the same refresh token that you use before if note then its a new one and you should store the new one. See next point for more info on why.

Max number of outstanding refresh tokens.

When a user authorizes your application using offline access you are given a refresh token, if the user authorizes your application again you are given another refresh tokens. you can keep doing this up to fifty times and all fifty refresh tokens will continue to work. As soon as you go over the magic number of fifty then the first one that was created will be expired. This is why it is important to ensure that you are always storing the most recent refresh token for a user in your database.

Dreamer · Accepted Answer · 2021-06-22T08:38:59.660

1

Basically, if your app has multiple refresh tokens for the same user (Gmail) with different scopes, invalidating one of them will invalidate all the tokens.

that turned out to be the issue as we maintain different refresh tokens based on scopes (say drive, calendar, contacts etc)

edited Jun 22 '21 at 08:38

answered May 21 '21 at 21:00

Dreamer

3,371
2
34
50