Google API revoked grants in unverified app
Our app uses several different Google APIs. The app requests offline access for Google Search Console And Google Analytics.
Every now and then the grants given by users are revoked. Several users' grants are revoked, not at the same time, but in a timespan of a couple of days.
I've checked all the usual suspects, but nothing matches. Take my own account for example. I hadn't logged in for a week but all of a sudden my grants had been revoked. I verified that they were revoked in my Google account. So after a week of working, making offline requests, all the grants were revoked, except the basic one.
I'm using the Google php api package, Attaching the access token object to every request.
$this->client = new \Google_Client();
$this->client->setAuthConfig(env("GOOGLE_CLIENT_SECRET_JSON_PATH"));
$this->analyticsService = new \Google_Service_Analytics($this->client);
$this->client->setAccessToken($user->google_access_token_object);
I'm also also setting a callback for the request.
$client->setTokenCallback(function($cacheKey, $accessToken) use ($user, $client) {
$cacheEntry = $client->getCache()->getItem($cacheKey)->get();
$googleAccessTokenObject = json_decode($user->google_access_token_object, true);
$googleAccessTokenObject["access_token"] = $cacheEntry["access_token"];
$googleAccessTokenObject["expires_in"] = $cacheEntry["expires_in"];
$googleAccessTokenObject["scope"] = $cacheEntry["scope"];
$googleAccessTokenObject["token_type"] = $cacheEntry["token_type"];
$googleAccessTokenObject["id_token"] = $cacheEntry["id_token"];
$googleAccessTokenObject["created"] = time();
if(!empty($cacheEntry["refresh_token"])) {
$googleAccessTokenObject["refresh_token"] = $cacheEntry["refresh_token"];
}
$user->google_access_token_object = json_encode($googleAccessTokenObject);
$user->save();
});
This works without problems for weeks, but then it's like Google decides to revoke every extra grant given to the application.
None of the points brought up in this article are valid for us: https://blog.timekit.io/google-oauth-invalid-grant-nightmare-and-how-to-fix-it-9f4efaf1da35
Since more than one account is affected during a timespan of a couple of days (this has happened multiple times) it doesn't seem to be an account based issue, but rather an application level issue.
The app in Google developer console has the "Publishing status" set to testing. I haven't found any info claiming that would be an issue though.
There are serval reasons why a refresh token will expire. The most common one these days is
A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
Actually they have the consent revoked after seven days which basically causes all refresh tokens to expire.
So the solution is to set your project to production, No this does not mean you need to verify it that is a separate setting.
Once your project is set to production you refresh tokens will stop expiring.
- Client is unauthorized to retrieve access tokens using this method Gmail API C#
- Laravel Socialite - google login failed “Missing required parameter: code”
- Requests from this Android client application <empty> are blocked - Google APIs error Flutter
- I need to add a privacy policy to my flutter web app for Google verification
- How to download attachments from Gmail through Google API using Python
- Youtube Analytics API: Extracting User Activities by City but got an error
- Why do i need to specify redirect_uri if i am authenticating from server side?
- Restricting usage for an Android key for a Google API
- Do Google refresh tokens expire?
- Using the Google Workspace API to get the storage used by a user
- New Google place api using google OAuth, ask failed to refresh token
- How can I access an object property named as a variable in php?
- ValueError: Client secrets must be for a web or installed app
- CredentialManager and Google Identity Signin API How to
- GoogleApis - JavaScript heap out of memory
- Cannot insert moment - Google Plus API
- How to obtain android app version code using Google Api?
- How to access Google search right hand side data programmatically?
- Phone Number Hint enable phone number sharing
- Get file name from id with Google Drive PHP Library
- Exclude specific URLs from chrome.declarativeNetRequest redirect?
- YouTube Data API set_thumbnail generates error - failedPrecondition: Precondition check failed
- Google Console - How to add Authorized redirect URIs via API
- "Error 403: access_denied" from Google authentication web API despite Google account being owner
- Google+ API leave business review
- How to identify a Google OAuth2 user?
- Google API Invalid JWT Signature in SFCC
- Google cloud, unable to edit policies to enable permission to create Service Account Keys
- Google Cloud Platform Secret Manager API 403 Error
- Google Calendar API why is EXDATE not working