my app is not able to receive refresh token from Google anymore

Question

i have a very weird problem. I'm using the Google authentication API since moree than one month now and all working perfect. But now out of the sudden, my users can't get refresh token anymore. My app is on testing state, so i thought the refreesh token my testing user was having is expired after 7 days, but then i tried to get another refresh token by doing thee authorization from the beginning to receive a code that i use to get a refresh tokn. But no chance i'm only receiving this response back: Status code 400 { "error": "invalid_grant", "error_description": "Bad Request" }

Thank you very much for your help!

How are you getting the refresh token? Consider providing the relevant parts of the code you're using. — Iamblichus, Sep 16 '22 at 08:26
Well the user clicks on the button that is forwarding him/her to the oauth consent screen where the user checks all the premissions for the scopes. after confirming the user end up in my URI page where i have a workflow that is storaging the code and then using it in api call: https://oauth2.googleapis.com/token to get a refresh token. In the past everything worked perfectly but just out of the suddon i'm facing this challenge now — shakatechi, Sep 16 '22 at 08:32

Linda Lawton - DaImTo · Answer 1 · 2022-09-16T08:40:12.103

1

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

To stop your refresh tokens from expiring set it to production.

Why cant you refresh after seven days

What i am writing here is my opinion only from experience. There is no documented proof of any of this from googles side.

After seven days your refresh token will expire, but the question is how is google expiring these refresh tokens. From what i can see they are not using the normal method of expiring the refresh token. They are in fact revoking the users granted access on the google account. So the all of the refresh tokens granted will stop working at once.

So why are you having issues with the client library. Normally the way the client libraries were originally designed. if the refresh token expired it would prompt the user to authorize the app again. This does not happen with the seven day revoke method. IMO because the error message is different, and the libraries have not been updated to take this into account, and prompt for access again. The only way to fix it is to delete the old stored refresh token and request a new one.

So your not able to receive new refresh tokens because your code is stuck with the old one. Make sure to hard delete any old refresh tokens you have stored. They wont work and the library doesnt understand how to delete them on its own.

edited Sep 16 '22 at 08:40

answered Sep 16 '22 at 08:23

Linda Lawton - DaImTo

106,405
32
180
449

Thanks for the tip, i will implement it, but do you think this the reason that im not able to receive any refresh tokens at all? – shakatechi Sep 16 '22 at 08:33
I havent seen your code but check edit heres a guess from my side – Linda Lawton - DaImTo Sep 16 '22 at 08:40
Your comment make totally sense, i will try to delete the whole project and create a new one on googl console – shakatechi Sep 16 '22 at 08:50
no dont do that you just need to delete the refresh token stored in your code. – Linda Lawton - DaImTo Sep 16 '22 at 08:50
Do you have any experience with publishing the app and the verification process? – shakatechi Sep 16 '22 at 08:51
Publishing the app and verification are two different things completely. Setting the app to production just makes the refresh token stop expiring. Verification is needed for apps using OAuth2 outside of google workspace to verify that the app is safe for the general masses. – Linda Lawton - DaImTo Sep 16 '22 at 08:51
you mean delete the refresh token stored in my database? – shakatechi Sep 16 '22 at 08:54
exactly. delete that then run your app again it should request a new refresh token from the user. If the app has been set to production this time it shouldn't expire. – Linda Lawton - DaImTo Sep 16 '22 at 08:55
But since i setup the status of my consent to production, it shows me that i need to verify it and ever since my users cant complete the oauth any more since it showing that google need to verify it – shakatechi Sep 16 '22 at 08:56
but your using admin sdk isnt it workspace? just set the app internal – Linda Lawton - DaImTo Sep 16 '22 at 09:38
Well the app is not internal, it should be external and available for every user. (The users are Workspace admins) – shakatechi Sep 16 '22 at 12:25
Then you will have to verify it. – Linda Lawton - DaImTo Sep 16 '22 at 12:26
Yes i submitted it, but i still can use it in production until it gets verified. So my problem now is that i'm receiving code once the user authorize but this code is not valid. – shakatechi Sep 16 '22 at 12:29
Without seeing your code its hard to help more. Please edit your question and include your code. – Linda Lawton - DaImTo Sep 16 '22 at 13:12
Remember to get a refresh token that does not expire all you need to do is set it to production, this is separate from verification. Verification is needed to get more then 100 users, and to remove the this app has not been verified message at consent time. – Linda Lawton - DaImTo Dec 03 '22 at 12:18

my app is not able to receive refresh token from Google anymore

1 Answers1

Why cant you refresh after seven days