Google OAuth, handle a revoked authorization

Question

I've been using Google OAuth to let users authorize access to the Calendar Service for my Web Application. After a successful 3-legged auth flow, I was storing all user's credentials in a common file on the app Server. The next time the app needs to use the service, it will check if the credentials exist, and if yes, it will assume they are valid

code works like that

@Override
public void _authorize(String userId) throws IOException {

    // Check if user has already authorised the service.
    Credential credents = flow.loadCredential(userId);

    // Checking if the given user is not authorized
    if (credents == null) {

        //Create credentials now. user will be redirected to authorise 

        try {
            //Creating a LocalServer Receiver
            // Getting the redirect URI
            // Creating a new authorization URL
            // Setting the redirect URI
            // Building the authorization URL
            // Receiving authorization code
            // Exchanging it for an access token

            // Storing the credentials for later access
            credents = flow.createAndStoreCredential(response, id);

        } finally {
            // Releasing resources
        }
    } else {
        // Assume the credentials are valid. so there's nothing left to do here, let's get that client
        //Update: Nooooooot! the user might have revoked the authorization, so credents != null BUT they are invalid
        //TODO: handle an Exception here, and manage the revoked credentials 
    }

    // Setting up the calendar service client
    client = new com.google.api.services.calendar.Calendar.Builder(httpTransport, jsonFactory, credents).setApplicationName(APPLICATION_NAME)
            .build();

}

This works fine, as long as the user never changes his mind. But if the user decides to manually revoke the authorization using the Google Account security options, the com.google.api.services.calendar.Calendar retrieval will Fail.

My question is :

1. Is there a way to check if the credentials are still valid, before trying to use them ? Else, I can only guess that the failure to get the client object, is the only way to have my portal realize that the credentials are no more valid ?
2. What should I do about the invalid/revoked credentials ? should I just call flow.createAndStoreCredential and they are going to be overwritten? Or do I have to delete the old ones first ? (how ?)

Answer 1

You could check token with tokeninfo and if token is not valid: - remove credential from datastore - invoke new auth

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException 
{
    UserService userService = UserServiceFactory.getUserService();

    if (userService.isUserLoggedIn()) {
        User user = userService.getCurrentUser();
        log.info(String.format("LoggedUser: %s %s", user.getEmail(), user.getUserId()));
        Credential credential = this.getCredential();
        Tokeninfo tokenInfo = OAuth2Utils.getTokenInfo(credential, null);
        if (tokenInfo != null)
            log.info(String.format("Token expires in: %d", tokenInfo.getExpiresIn()));
        else {
            OAuth2Utils.deleteCredential(user.getUserId());
            response.sendRedirect(request.getRequestURI()); // recall this servlet to require new user authorization
            return;
        }
}

public static Tokeninfo getTokenInfo(Credential credential, String accessToken) {
    Oauth2 service = new Oauth2.Builder(new NetHttpTransport(), Constant.JSON_FACTORY, credential).setApplicationName(Constant.APP_NAME).build();
    Tokeninfo tokenInfo = null;
    try {
        tokenInfo = service.tokeninfo().setAccessToken( accessToken == null ? credential.getAccessToken() : accessToken ).execute();
    } catch (IOException e) {
        log.warning("An error occurred: " + e);
    }
    return tokenInfo;
}

Answer 2

You can use the refreshToken() method for this. See example:

// Fetch credential using the GoogleAuthorizationCodeFlow
GoogleAuthorizationCodeFlow authorizationCodeFlow;
Credential credential = authorizationCodeFlow.loadCredential(userId);
if (credential != null) {
    try {
        // refresh the credential to see if the refresh token is still valid
        credential.refreshToken();
        System.out.println("Refreshed: expires in: " + credential.getExpiresInSeconds());
    } catch (TokenResponseException e) {
        // process exception here.
        // This will catch the Exception.
        // This Exception contains the HTTP status and reason etc.
        // In case of a revoke, this will throw something like a 401 - "invalid_grant"
        return;
    }
} else {
    // No credential yet known.
    // Flow for creating a new credential here
}

EDIT If you indeed have an invalid refresh token and you want to renew it, then you need to repeat the steps that you did in the first place to get the credentials. So:

• genererate a new authorization URL
• redirect the user to it
• user accepts the consent screen
• catch the authorization code from the redirect back to your app
• request a new token from Google using the authorization code
• create and store a new Credential using the response from Google

No need to delete the old credential. But if you want to explicitly do so, it is possible. Something like:

// This userId is obviously the same as you used to create the credential
String userId = "john.doe";
authorizationCodeFlow.getDataStore().delete(userId);

Answer 3

You can use the endpoint https://www.googleapis.com/oauth2/v1/tokeninfo to determine if an OAuth2 token is still valid. More information is available in the OAuth2 guide.

Answer 4

Answer to the first question:

When using the Service object for retrieving calendar items from Google Calendar, the token are automatically verified. When they are invalid, they will be refreshed automatically, and stored in the datastore you provided to the flow.

this can also be done manually. A token is valid for 3600 seconds (one hour). When retrieving a token you get this value with the timestamp when it was issued. You could manually determine if a token is valid. If it is not valid call the following async method.

await credents.RefreshtokenAsync(CancellationToken.None);

This function gets you fresh tokens, and stores them in the datastore you provided.