This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Google oauth refresh token not automatically refreshing with offline access

Posted on 04-01-2024 02:42 PM
abd
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello all,

In our application we have the following code for requesting oauth permissions for our relevant scope

 

```

import { google } from 'googleapis';
 
import dotenv from 'dotenv';
dotenv.config();
 
export default defineEventHandler((event) => {
  return generateAuthUrl()
})
 
const CLIENT_ID = process.env.CLIENT_ID;
const CLIENT_SECRET = process.env.CLIENT_SECRET;
const REDIRECT_URI = process.env.REDIRECT_URI;
 
const scopes = [
];
 
const oAuth2Client = new google.auth.OAuth2(CLIENT_ID, CLIENT_SECRET, REDIRECT_URI);
 
async function generateAuthUrl() {
const authorizeUrl = oAuth2Client.generateAuthUrl({
access_type: 'offline',
scope: scopes,
});
return authorizeUrl;
}

```

I understand that if you request access_type: 'offline' that when using the google SDK if a refresh_token has expired, the SDK will automatically request a new refresh token to complete the offline api call.

For most of our users this is 'seemingly' happening correctly, but for a given user, when trying to request access to a resource for the available scope we get the following error:

 

GaxiosError: invalid_grant
at Gaxios._request 
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async OAuth2Client.refreshTokenNoCache
response: {
config: {
method: 'POST',
url: 'https://oauth2.googleapis.com/token',
data: ...
headers: [Object],
paramsSerializer: [Function: paramsSerializer],data: {
error: 'invalid_grant',
error_description: 'Token has been expired or revoked.'
},

1 3 275
3 REPLIES 3

Posted on --/--/---- --:-- AM
JanR
Staff
Reply posted on --/--/---- --:-- AM

Hi, 

There are 2 things that could have happened that resulted in an invalid grant in your case that I can see, assuming that the user did not change his credentials and there is no security breach.

First is Failure in Refreshing Token:

Failure in refreshing tokens might happen sometimes.make sure to double-check the Google OAuth documentation for potential causes of refresh failures.
(https://developers.google.com/nest/device-access/reference/errors/authorization).

Second is User Revoked Refresh Token Manually:

It is possible the user might have revoked the token manually. If they have, you will need to request their permission again to obtain a new refresh token. Revoked tokens will always return "invalid_grant."

Posted on --/--/---- --:-- AM
abd
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello @JanR,

Thanks for taking the time to respond. The refresh token is indeed expired, however I understand that if you request offline access, which I do so here:

 

async function generateAuthUrl() {
const authorizeUrl = oAuth2Client.generateAuthUrl({
access_type: 'offline',
scope: scopes,
});
 
 
Then if you send a request with an expired refresh_token, google will update it in the request for you and then process your API request. Is that incorrect?
 
This is my code for instantiating the oauthclient for the request to the gmail API:
 
```

try {
oAuth2Client.setCredentials({ refresh_token: user.refresh_token })

const gmail = google.gmail({ version: "v1", auth: oAuth2Client })

// rest of code

```

 

Posted on --/--/---- --:-- AM
abd
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@JanR any feedback here? This is a blocker for us, the SDK is not renewing the tokens so our integration is basically broken

Top Labels in this Space