0

I'm trying to get access token by calling https://www.googleapis.com/oauth2/v4/token with

grant_type: 'refresh_token',
client_id: GOOGLE_OAUTH_CLIENT_ID,
client_secret: GOOGLE_OAUTH_CLIENT_SECRET,
refresh_token: refreshToken

I'm sure the clientId/secret are correct. Since for some refresh tokens - I do get access token, for others I do get notification that the token is revoked, but in some cases I'm getting a

error: '400 - {"error":"invalid_grant","error_description":"Bad Request"}'

Since for some cases I do receive success/token revoked, I assume it eliminates NTP issue.

Any ideas what else could be wrong and where to look?

new name
  • 15,861
  • 19
  • 68
  • 114
Zaky
  • 369
  • 6
  • 21
  • The actual reason does not matter. Your code must handle revoked/expired tokens and reauthenticate the user. The **invalid_grant** indicates something wrong with your code, but since you did not post your code ... – John Hanley Jun 28 '22 at 19:19
  • @JohnHanley - the same request with others refresh tokens works (produces a different responses: as state for some tokens I do receive access tokens, for others I do receive token revoked - but for some it is just a bad request). So I'm looking for a way to investigate these cases. – Zaky Jun 29 '22 at 12:50
  • @Zaky I have provided an answer below to your question. Can you check if this helps. – Sathi Aiswarya Jul 05 '22 at 04:48

1 Answers1

2

It may be that you have an invalid access token. This could be due to many causes,such as the user's account has been deactivated since the token was created or token being revoked or expired, Ensure that you are always using the newest refresh token.

Time is critical with regards to tokens, Ensure that you are in with Google NTP server. If necessary, sync your time with Google NTP. Also an incorrect/ incomplete refresh token will also result in an invalid grant. In order to request a refresh token you must first have requested offline access. Access tokens work for one hour, however it is a good idea to refresh them when there is five minutes left to avoid any issues with clock stew.

Requesting an access token every time you need to access the api may also result in invalid grant, for flooding the auth server. Google has made changes if a user changes their password refresh token that grants access to some scopes will be revoked. Here is a StackOverflow answer and a blog post that I found which explain some of the reasons this error can occur.

Also you may try changing from the https://www.googleapis.com/oauth2/v4/token URI to https://oauth2.googleapis.com/token. The previous URI should continue to work, but the later URI is the new default. See this github

Sathi Aiswarya
  • 2,068
  • 2
  • 11