2

After googling we came to know that invalid_grant which means refresh token is invalid.

Link to google oauth doc

We don't have any of these issues mentioned by google. Is this error related to something else rather than a refresh token.

More Info

We have access to read, write spreadsheet and send gmail

We fetch an access token for each request Any help would be appreciated.

We're already in production and verified by google enter image description here

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Chirag Gupta
  • 469
  • 1
  • 7
  • 16

1 Answers1

3

Without seeing the full error message that being

Invalid_grant {Message here}

It is hard to help but from my experience is most often caused by one of the following.

Refresh token expire, app not in production.

There are serval reasons why a refresh token can expire the most common one currently is as follows.

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

The fix is to go to google developer console on the consent screen and set your application to production, then your refresh token will stop expiring.

invalid_grant: Invalid JWT

{ “error”: “invalid_grant”, “error_description”: “Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems.” }

Your server’s clock is not in sync with NTP. (Solution: check the server time if its incorrect fix it. )

invalid_grant: Code was already redeemed

Means that you are taking an authentication code that has already been used and trying to get another access token / refresh token for it. Authentication code can only be used once and they do expire so they need to be used quickly.

Invalid_grant: bad request

Normally means that the client id and secrete you are using to refresh the access token. Was not the one that was use to create the refresh token you are using.

Always store most recent refresh token.

Remember to always store the most recent refresh token. You can only have 50 out standing refresh tokens for a single user and the oldest one will expire. Depending upon the language you are using a new refresh token may be returned to you upon a refresh of the access token. Also if you request consent of the user more then once you will get a different refresh token.

User revoked access

If the user revoked your access in their google account, your refresh token will no longer work.

user changed password with gmail scope.

If your refresh token was created with a gmail scope and the user changed their password. your refresh token will be expired.

Links

Oauth2 Rfc docs for invalid_grant error rfc6749

invalid_grant The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • We're already in production – Chirag Gupta Aug 29 '22 at 10:00
  • I added a few more for you. I really depends upon the message you are getting. There's like 10 different causes for invalid_grant. Find the full error message and add it to your question. – Linda Lawton - DaImTo Aug 29 '22 at 10:01
  • 1
    can you give me the resource to read more about it – Chirag Gupta Aug 29 '22 at 10:09
  • 1
    Sadly i can not. Google does not document the standard Oauth error messages. This list is my personal list from using googles oauth server for more then ten years. Again if you could give me the full error message i would be happy to tell you what it means. Invalid_grant what there is more to the message As you can see by the oauth2 rfc invalid_grant can have a number of causes the message will tell you the true cause – Linda Lawton - DaImTo Aug 29 '22 at 11:43
  • What is the google developer console? you mean google play console or google cloud platform console? they are different – dontknowhy Oct 26 '22 at 01:50
  • It has changed its name over the years i guess now it is [Google cloud console](https://console.cloud.google.com/) it used to be google developer console. I need to get better at using the correct name. But it is not the same as the Google cloud platform console. nor is it google play console, or firebase console for that matter – Linda Lawton - DaImTo Oct 26 '22 at 14:42