Reputation: 23
Getting invalid_grant when trying to refresh token
When an OAuth2Credential object tries to refresh its access_token, sometimes it gets an error of invalid_grant and then it becomes unable to be refreshed. The code I used is based on Google's python API and Mirror API examples.
Background:
- Using
oauth2clientmodule for authentication and OAuth2Credential object. - Storing the OAuth2Credential object pickled and base64'd into the database like Google's own example code
- Using
apiclientmodule to make calls to the Mirror API - This code runs on 3 different servers, all exhibiting the same issue when trying to send
- The scopes I ask for are
"https://www.googleapis.com/auth/glass.timeline"and"https://www.googleapis.com/auth/userinfo.profile" - I can confirm that access_type is set to "offline"
- I ask for approval_prompt to be "force" just in case
Here is the code that is being used to call the mirror API:
from apiclient.discovery import build
http = credential.authorize(http=httplib2.Http())
service = build("mirror", "v1", http=http)
payload = <JSON_PAYLOAD_HERE>
service.timeline().insert(body=payload).execute()
When the service is called, there is the potential for it to issue a 401 which means the access_token needs to be refreshed. It then calls the refresh method which excepts with AccessTokenRefreshError with the error invalid_grant. At this point, the credential is as good as bunk, since the access_token is expired and the refresh_token will only give the same error.
I have seen pages that say this can happen due to either NTP problems, but I have confirmed (and even switched NTP servers) that my servers are in sync. The other documented possibility is that only 25 refresh tokens can exist before they get recycled, but I have implemented a store() method on the Credential object so when it is refreshed, the new credentials are saved in place (I can confirm that this works as I see new information in the database when it is refreshed).
Since I can't get a user's credentials to start exhibiting this problem on demand, I can't explain any other conditions to recreate the issue other than "waiting some time". I have seen the issue happen soon after authenticating and sending one call, all the way to a week's worth of time after a hundred calls.
The only way for now to get the issue to be resolved is to ask the user to reauthorize, but that isn't a solution since I am expecting to use the api's offline without user interaction. I'd also have no way to notify the user that they need to reauthorize.
Upvotes: 2
Views: 1928
Answers (1)
Reputation: 6034
Answer from the comment thread: the user had toggled off the Glassware from the MyGlass website which resulted in the token being revoked.
The user needs to go through the authorization flow again in order to be able to use the Glassware by either visiting the Glassware authorization endpoint or toggling it back "on" on MyGlass if available.
Upvotes: 1
Related Questions
- Access Token and Refresh token giving invalid grant in Google Plus in Python?
- Google OAuth token request returns "invalid_client": "Unauthorized"
- google OAuth Refresh Token keeps expiring
- Google Oauth2 invalid_grant error while trying to refresh an access token
- AccessTokenRefreshError: invalid_grant from oauth2client
- Using refresh_token for Google OAuth 2.0 returns http 400 bad request
- Circumstances of the "invalid_grant" error when refreshing an access token?
- Refresh token using google api returning invalid_request
- Google API Python Client - AccessTokenRefreshError
- refresh_token Invalid Credentials errors