Using Refresh Token Exception { "error" : "invalid_grant" }'

Question

I've successfully built an application that fetches an access and refresh token.

In my script I check if the access token is valid and if not I then use the refresh token to gain access $client->refreshToken($refreshToken);

Code in full,

    $refreshToken = '<REFRESH_TOKEN>';

    $client_id = '<CLIENT_ID>';
    $client_secret = '<CLIENT_SECRET>';

    // Setup infomation
    $client = new Google_Client();
    $client->setClientId($client_id);
    $client->setClientSecret($client_secret);
    $client->setAccessType("offline");
    $client->addScope("https://mail.google.com/");

    // If access token is not valid use refresh token
    if($client->isAccessTokenExpired()) {

        // Use refresh token
        $client->refreshToken($refreshToken);

    } else {

        // Use access token
        echo $client->setAccessToken($accessToken);

    }

However when trying to use the refresh token I get an excpetion :

Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }''

Answer 1

Refresh token need to be use only once, if you are using the same refresh token multiple times you will get an error as well

Answer 2

Going to add one more item to the list that hasn't been mentioned:

The Refresh Token received from the original request could be URL encoded (eg. "1//..." would be "1%2F%2F...").

Make sure you use a decoded version. If not, you could end up with a double-encoded refresh token sent to the server, resulting in an invalid_grant error.

Answer 3

"invalid_grant" can be due to an expired/invalid refresh token. In my case, it had an extra space too much at the end.

Answer 4

Google now has a dedicated page in their API guide for this error where it says there are only 2 reasons for this...

• Your server's clock is not in sync with network time protocol - NTP.
• The refresh token limit has been exceeded.

The limit for each unique pair of OAuth 2.0 client and Google Analytics account is 25 refresh tokens. If the application continues to request refresh tokens for the same Client/Account pair, once the 26th token is issued, the 1st refresh token that was previously issued will become invalid.

Answer 5

In the OAuth2 spec, "invalid_grant" is sort of a catch-all for all errors related to invalid/expired/revoked tokens (auth grant or refresh token).

There's a lot potential causes for the problems, here's a checklist:

1. Server clock/time is out of sync
2. Not authorized for offline access
3. Throttled by Google
4. Using expired refresh tokens
5. User has been inactive for 6 months
6. Use service worker email instead of client ID
7. Too many access tokens in short time
8. Client SDK might be outdated
9. Incorrect/incomplete refresh token
10. User has actively revoked access to our app
11. User has reset/recovered their Google password

I've written a short article summarizing each item with some debugging guidance to help find the culprit. We spent days hunting this down, hope it may help others turn those days into hours.

Answer 6

As everyone is telling you as far as I know that error could be caused by 2 reasons:

1. Refresh Token is not valid anymore
2. Refresh Token is wrong - maybe some characters hidden that code is adding somehow.

I had that issue before (same error message) and turns out my Refresh Token got expired.

Answer 7

The reason of the "Invalid grant" error may be due to the refresh token not working. This could be because When the number of refresh tokens exceeds the limit, older tokens become invalid. If the application attempts to use an invalidated refresh token, an invalid_grant error response is returned.Here is the link for more documentation.