0

Some (but not all) Google accounts consistently respond with a 401 when trying to access the Google Calendar API despite tokeninfo telling me the access token I'm using has the proper scope (see curl output below). I can successfully obtain a new access token using a refresh token, but the calendar api continues to 401.

Does anyone have an idea why this might be happening?

$ curl -v https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[redacted]
*   Trying 216.58.195.74...
* Connected to www.googleapis.com (216.58.195.74) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.googleapis.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /oauth2/v3/tokeninfo?access_token=[redacted] HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: Mon, 01 Jan 1990 00:00:00 GMT
< Date: Tue, 18 Oct 2016 22:00:45 GMT
< Vary: X-Origin
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
<
{
 "azp": "[redacted].apps.googleusercontent.com",
 "aud": "[redacted].apps.googleusercontent.com",
 "sub": "[redacted]",
 "scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/calendar",
 "exp": "1476831626",
 "expires_in": "3581",
 "email": "[redacted]",
 "email_verified": "true",
 "access_type": "offline"
}
* Connection #0 to host www.googleapis.com left intact


$ curl -v https://www.googleapis.com/calendar/v3/users/me/calendarList?access_token=[redacted]
*   Trying 216.58.195.74...
* Connected to www.googleapis.com (216.58.195.74) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.googleapis.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /calendar/v3/users/me/calendarList?access_token=[redacted] HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Vary: X-Origin
< WWW-Authenticate: Bearer realm="https://accounts.google.com/", error=invalid_token
< Content-Type: application/json; charset=UTF-8
< Date: Tue, 18 Oct 2016 22:01:14 GMT
< Expires: Tue, 18 Oct 2016 22:01:14 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
<
{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "authError",
    "message": "Invalid Credentials",
    "locationType": "header",
    "location": "Authorization"
   }
  ],
  "code": 401,
  "message": "Invalid Credentials"
 }
}
* Connection #0 to host www.googleapis.com left intact
David Gouldin
  • 575
  • 1
  • 4
  • 11
  • do any of the other calls work? – Linda Lawton - DaImTo Jan 20 '17 at 09:05
  • Is it possible your refresh token is expired? – luc Jan 20 '17 at 19:38
  • @luc if the refresh token was expired, I would be able to use it to get a new access token, and the access token I already have wouldn't work for the tokeninfo endpoint. – David Gouldin Jan 20 '17 at 21:03
  • @DaImTo none of the google calendar api calls work. They all 401 with the same response body. – David Gouldin Jan 20 '17 at 21:13
  • The user could have revoked the refresh token altogether and then you need to reauthenticate. – luc Jan 20 '17 at 21:14
  • @luc the refresh token has not been revoked, or else I would not be able to use it to get a new access token. Also, when refresh tokens are revoked, access tokens granted using the refresh token are revoked as well. Since I'm able to successfully call tokeninfo, that's clearly not the case. – David Gouldin Jan 20 '17 at 21:38

2 Answers2

2

I was able to reproduce the situation by creating a google apps user whose sub-organization has Google Calendar turned off. Google will still allow the user to grant calendar access and will indicate the scope has been granted but will 401 in the way described when you try to call any Google Calendar API endpoints with their access token.

Google, please make your error message clearer or prevent the initial scope grant when requesting access to an app that has been turned off by an administrator!

David Gouldin
  • 575
  • 1
  • 4
  • 11
0

This was happening for my client, even with Google Calendar enabled.

Turns out they'd let the free 14 day trial expire, and hadn't entered a credit card for payment. Error disappeared once they'd sorted that.

Richard Carter
  • 1