Google Analytics OAuth2 refresh tokens limit

Question

I built a platform in PHP that enables users to create their own websites. To connect the site owners to Google services (specifically Google Analytics), I created a Google application for my site users to connect to their account. This is done through Google's API V3/OAuth2.

The flow is:

1. User logs in to Google Analytics with their Google account.
2. The platform automatically adds a Google Analytics snippet to the website
3. The platform allows offline access to Google Analytics to view site statistics and displays it in a statistics screen.

The problem:

There is a limit of 25 for the number of refresh token I can have per application. When the 26th user logs in (and receives a new refresh token) the first refresh token becomes inactive.

The Error message:

error: 1401351409|4794 [Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }']

I am getting this after making the refresh token request to the API.

Is there any way to overcome this limit? Is there any other way I can get the desired outcome?

Answer 1

From what I understand from Google's OAuth2 documentation, this is the issue you are experiencing:

Google OAuth2:

There is currently a 25-token limit per Google user account. If a user account has 25 valid tokens, the next authentication request succeeds, but quietly invalidates the oldest outstanding token without any user-visible warning.

I am pretty sure refresh tokens are unique to a client ID/user ID/application scope combination. When you are issued a refresh token, you should be storing that refresh token for that particular user in a database, rather than generating new ones. When the user's original access token expires, your application should be pulling the user's corresponding refresh token from a database and generate a new access token/refresh token for the next usage.

With the correct flow, you should not come close to reaching the refresh token limit.

Hope this helps!