Error refreshing the OAuth2 token @ Google_CalendarServices (php)

Question

i know there are many similar questions, where the 'invalid_grant' is the only 'answer' we got from google api, but all them are old, or discussing different ways of getting to the same message.

The weird part is, that this 'thing' only stopped working for 2 days ago. In our CRM we book meetings into GoogleCalendars associated with our GoogleAccount. Now in the last 2 days we are experiencing problems, never happend before.

The application fails like this:

Fatal error:  Uncaught exception 'Google_AuthException' with message 'Error refreshing the OAuth2 token, message: '{"error" : "invalid_grant";}

Stack trace:

#0 /path/to/plugins/google-api-php-client/src/auth/Google_OAuth2.php(240): Google_OAuth2->refreshTokenRequest(Array)
#1 /path/to/plugins/google-api-php-client/src/auth/Google_OAuth2.php(217): Google_OAuth2->refreshToken('1/ourtoken...')
#2 /path/to/plugins/google-api-php-client/src/service/Google_ServiceResource.php(167): Google_OAuth2->sign(Object(Google_HttpRequest))
#3 /path/to/plugins/google-api-php-client/src/contrib/Google_CalendarService.php(494): Google_ServiceResource->__call('insert', Array)

This is the actual http answer:

Google_HttpRequest Object
(
    [batchHeaders:Google_HttpRequest:private] => Array
        (
            [Content-Type] => application/http
            [Content-Transfer-Encoding] => binary
            [MIME-Version] => 1.0
            [Content-Length] => 
        )

    [url:protected] => https://accounts.google.com/o/oauth2/token
    [requestMethod:protected] => POST
    [requestHeaders:protected] => Array
        (
            [content-type] => application/x-www-form-urlencoded
            [content-length] => 196
        )

    [postBody:protected] => client_id=111111111.apps.googleusercontent.com&client_secret=secretSECTRETsecretSECRET&refresh_token=1%2FveryLONGtokenSTRINGhafbuaADDFR&grant_type=refresh_token
    [userAgent:protected] => Google Calendar PHP Starter Application google-api-php-client/0.6.0
    [responseHttpCode:protected] => 400
    [responseHeaders:protected] => Array
        (
            [content-type] => application/json; charset=utf-8
            [cache-control] => no-cache, no-store, max-age=0, must-revalidate
            [pragma] => no-cache
            [expires] => Mon, 01 Jan 1990 00:00:00 GMT
            [date] => Thu, 10 Nov 2016 01:05:15 GMT
            [x-content-type-options] => nosniff
            [x-frame-options] => SAMEORIGIN
            [x-xss-protection] => 1; mode=block
            [server] => GSE
            [alt-svc] => quic=":443"; ma=2592000; v="36,35,34"
            [accept-ranges] => none
            [vary] => Accept-Encoding
            [transfer-encoding] => chunked
        )

    [responseBody:protected] => {
  "error" : "invalid_grant"
}
    [accessKey] => 
)

Yes we are using an older version not anything new. Yes the account is live, the calendar into which we are trying to insert is existing. No privileges or passwords were changed/reset. We tried all our calendars - no success at all. And i tried also some minor changes/hacks I found here like not using developer key, set access type to offline, synchronizing server time and so on...

Actually we did nothing with the whole thing before it broke. So there is one question: did Google changed something in the behaviour/code or something? Or did we miss something (like deprecated/deleted functions)?

EDIT #1

One of my colleges did change something in fact. (More on that at the end of edit section)

So we have one 'main' google account, wit developer key and clientid and everything -> and this account also has 1 calendar.

Than we have multiple other google accounts for our co-workers. We have grants from main calendar to their calendars and vice-versa. In our CMS we try to add an event (hence insert on Google_CalendarService) to one of the co-workers calendar.

So one of our co-workers quit the job, and my college change HIS password. And removed grants. Well it happend Monday at 16:00 and Tuesday morning we got the first error. Could this one google account's change affect the behaviour of all other, resp. the behaviour of the main calendar account???

-- end of EDIT #1

If anyone experienced something similar like this and managed to fix, please give some advise. Thank you!

Answer 1

I've had the same issue with an old app I made. By regenerating the client secret and developer key just to be safe the app works again, anything else you will try will fail. Sadly a wasted morning.

Answer 2

11/17/2016 Update:

We did find an issue that resulted in some tokens being purged. We are working on to make sure it doesn't happen again. Unfortunately there is no way to restore the tokens that were deleted and your users will have to reauthorize again.

---

We (Google Identity team) are investigating the issue as a few other developers have contacted us as well. In order to speed up debugging, could you IM me through my G+ profile so I can get some info and investigate.

"did Google changed something in the behaviour/code or something? " the answer is no there was no intentional change.

Answer 3

Good news everyone (who cares at all)!

After endless digging and try&fails, I found out that google had in fact blocked our old access token. Maybe it was the password change and grant removal from our side, maybe it was the ex-co-workers attempt to revoke or reset something, not sure. But the token was not active anymore.

After some small challanges with the Oauth2 Playground I've set up a connection with our API credentials, and got the new connection preferences (new access token and new refresh tokens)

Special thanks and a big shout out to @DaImTo for pointing out, that it's probably the inactive/old token what is causing this issue.

@Google: please add meaningful error messages and error descriptions, it will be much cooler to lose some minutes to hours as 2-3 days to solve 'minor' but critical issues like this one!

I hope this post will help someone once in the future. Peace!