0

I have an app that uses the Google Calendar API and I seem to have a corrupt/defunct access token and/or refresh token which is resulting in the following error:

Signet::AuthorizationError

Authorization failed. Server message: { "error": "invalid_grant", "error_description": "Bad Request" }

Code for the authorization:

client_id = Google::Auth::ClientId.new(CLIENT_ID, CLIENT_SECRET)
token_store = EncryptingTokenStore.new(TokenStore.new)
scope = "https://www.googleapis.com/auth/calendar"
authorizer = Google::Auth::UserAuthorizer.new(client_id, scope, token_store, callback_url)
authorizer.get_credentials(CALENDAR_ID)

On investigation the UserRefreshCredentials we get back from authorizer object has an expires_at date in the past (11/01/2021). I deleted the offending refresh token that we have stored, revoked access via the google account settings, then reauthenticated the user account with the app to reapprove offline access to Google Calendar again. This did not give me a new access and refresh token as expected. The expires_at is still 11/01/2021. We have valid refresh tokens in storage but for some reason Google is still picking up the old details despite that refresh token no longer existing. So I need to find a way to refresh or overwrite the UserRefreshCredentials that the Google API is using.

Other steps I have tried:

I tried to refresh the token from within a production console with some methods that come with the ruby google client gem but this fails with the same invalid_grant/Bad request error that is at the root of this issue.

I also tried to refresh the token with a POST request to the oauth2 endpoint:

https://oauth2.googleapis.com/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&refresh_token=REFRESH_TOKEN&grant_type=refresh_token

but this also fails with the same invalid_grant/Bad request error.

If anyone can shed any light that would be much appreciated.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
sledge_909
  • 457
  • 1
  • 5
  • 9
  • 1
    see if you can figuer out how to add approval_prompt: :force to the authorization request it should force the user to authorize the app again. You then need to ensure that you are storing that refresh token instead of the old one. – Linda Lawton - DaImTo Jul 26 '22 at 10:58
  • This is an internal (company) google account, so I have the login details and I am able to revoke access and reapprove access without needing to add the approval prompt. – sledge_909 Jul 26 '22 at 12:04
  • im just curious as to where you are getting expires_at being 2021 if your requesting a new token it should be now not 2021. Revoke the users access, and delete all the tokens you have in storage for that user. – Linda Lawton - DaImTo Jul 26 '22 at 12:12
  • 1
    I am curious too. There are lots of tokens in the database that expire in the future but for some reason it's still picking up this one from 2021 that I have since deleted and no longer exists. I will try deleting everything and revoke access -> then reapprove access as you suggest. – sledge_909 Jul 26 '22 at 12:37

0 Answers0