Reputation: 31
Google API Invalid grant on one-time auth code from GoogleAuthUtil.getToken
I'm using GoogleAuthUtil.getToken() to get a one-time code in an Android app, which is then sent to our server. Our server then exchanges this for an access token, and uses this to get the users e-mail.
This seems to work. But, if I do the following:
- Get the one-time code
- Send it to server
- Consume it, and authenticate the user
- Wipe Android app data (making it forget the authentication
- Get the one-time code
The second one-time code is actually identical to the first.
This has now already been consumed once, so the server gets the following error when trying to exchange it for an access token the second time:
Error:"invalid_grant", Description:"Invalid code.[Email:
Token Record:
Token: "4/aQQ_nbklfajrilawjvlkasjvVMD.AMsaNNC-gdsai3gJDIAvajvkrelwiDDI"
IssueDomain: "123456789012-1231231564adsafdas1f23a45fd6sad2.apps.googleusercontent.com"
IssueTimeSec: 1387110988
ExpirationTime: 1387111588
TokenUsage: 3
Scope: "https://www.googleapis.com/auth/plus.login"
Scope: "https://www.googleapis.com/auth/userinfo.email"
Scope: "https://www.googleapis.com/auth/plus.moments.write"
Scope: "https://www.googleapis.com/auth/plus.me"
Scope: "https://www.googleapis.com/auth/plus.profile.agerange.read"
Scope: "https://www.googleapis.com/auth/plus.profile.language.read"
Scope: "https://www.googleapis.com/auth/plus.circles.members.read"
ServiceInfo {
ServiceId: 123
Info <
[13245678] <
0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 0x09 0x0a
>
>
}
ServiceInfo {
ServiceId: 226
Info <
[security_lso_auth_oauth2.EarlyIssuedTokenProto] <
auto_approved: false
access_token: "fd12.a.Afdsa1eawfdsa2avi_f1ds2af15eaw61f2ag45a6v8-1f3ds2af5ew6a12-ad5A"
refresh_token: "2/da4ge5a4f5dsav-fsa54fe4wa5f_dfasenU-dsaddew"
>
>
}
Revoked: true
AuthorizedBy: 0x1234567890
OAuthCallbackUrl: "urn:accounts.google.com:api_auth:programmatic:virtual_redirect_uri"
OfflineAccess: true
RevokeOnPasswordChange: true
ClientManagedRevocation: false
InBundle: true
]", Uri:""
(sensitive data is replaced with random values)
I see the ExpirationTime has not yet been reached (10 minutes validity), but shouldn't a one-time code be returned only once from GoogleAuthUtil.getToken()?
This may not be an issue in a deployment situation, since most users would only log in once, so is this by design? Should I handle it in any way on the server, or just accept that this will occur?
Upvotes: 3
Views: 952
Answers (1)
Reputation: 21
Seems using GoogleAuthUtil.invalidateToken(context, token) can invalidate the token. You can then request a new token by calling getToken() next time. But this requires to add user permission android.permission.MANAGE_ACCOUNTS.
Upvotes: 2
Related Questions
- invalid_grant trying to get OAuth token from Google
- getting Google oauth authorization token from Android- return with invalid_scope/ Unknown error
- Getting invalid grant while fetching access token from Google Oauth
- Google OAuth "error": "invalid_grant" response to request to exchange one time auth code for refresh and access token
- GoogleAuthUtil.getToken returns invalid authentication code
- GoogleAuthUtil.getToken() method throws IllegalStateException
- OAuth2 invalid_token when verifying Google Sign In with getIdToken() and getServerAuthCode()
- Invalid grant error is being thrown while retrieving accessToken for Google Service account request
- Oauth 2 fails to exchange code for access token, returns "invalid_grant"
- Google authentication return invalid grant