Search code examples
google-cloud-platformoauth-2.0google-oauthgoogle-identity

why oauth 2.0 client id expired automatically?

Execute compute engine

api(GET https://compute.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances/{resourceId}) with oauth 2.0 client id.

I created an OAuth2.0 client ID and got access_token and refresh_token based on the steps on this site.

Obtaining OAuth 2.0 access tokens

Refreshing an access token (offline access)

I can execute api with access_token which was refreshed.

after 3days, run this step again,

https://developers.google.com/identity/protocols/oauth2/web-server#offline

response was

json
{   "error": "invalid_grant",   "error_description": "Token has been expired or revoked." }

why expired refresh_token?

refresh_token A token that you can use to obtain a new access token. Refresh tokens are valid until the user revokes access. Again, this field is only present in this response if you set the access_type parameter to offline in the initial request to Google's authorization server.

Solution

  • There are a lot of things which can cause a refresh token to expire.

    1. you are using a gmail scope and the user changed their password.
    2. it has not been used in six months.
    3. the user has revoked your access in their google account.
    4. If the user runs your app you get a refresh token, if they run it again you get a different refresh token, you can do this up to 50 times and get new refresh tokens and they will all work after number 50 the first one will expire. Make sure you are always saving the most resent refresh token.
    5. your app is currently in testing and has not been set to published and has not been though the verification process.

    Documentation link for expiration