Using Refresh Token Exception { "error" : "invalid_grant" }'

Question

I've successfully built an application that fetches an access and refresh token.

In my script I check if the access token is valid and if not I then use the refresh token to gain access $client->refreshToken($refreshToken);

Code in full,

    $refreshToken = '<REFRESH_TOKEN>';

    $client_id = '<CLIENT_ID>';
    $client_secret = '<CLIENT_SECRET>';

    // Setup infomation
    $client = new Google_Client();
    $client->setClientId($client_id);
    $client->setClientSecret($client_secret);
    $client->setAccessType("offline");
    $client->addScope("https://mail.google.com/");

    // If access token is not valid use refresh token
    if($client->isAccessTokenExpired()) {

        // Use refresh token
        $client->refreshToken($refreshToken);

    } else {

        // Use access token
        echo $client->setAccessToken($accessToken);

    }

However when trying to use the refresh token I get an excpetion :

Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }''

https://developers.google.com/analytics/devguides/config/mgmt/v3/authorization#invalid_grant — Charlie Martin, Oct 18 '17 at 22:03

laander · Answer 1 · 2016-07-18T11:46:02.380

25

In the OAuth2 spec, "invalid_grant" is sort of a catch-all for all errors related to invalid/expired/revoked tokens (auth grant or refresh token).

There's a lot potential causes for the problems, here's a checklist:

Server clock/time is out of sync
Not authorized for offline access
Throttled by Google
Using expired refresh tokens
User has been inactive for 6 months
Use service worker email instead of client ID
Too many access tokens in short time
Client SDK might be outdated
Incorrect/incomplete refresh token
User has actively revoked access to our app
User has reset/recovered their Google password

I've written a short article summarizing each item with some debugging guidance to help find the culprit. We spent days hunting this down, hope it may help others turn those days into hours.

edited Jul 18 '16 at 11:46

answered Jul 18 '16 at 10:30

laander

2,243
2
23
15

A real nightmare! I appreciate your hours of testing and research. I guess that another possible cause maybe that account was suspended by Google, e.g. when they consider that Terms of Service were violated (spam filter was trigger or something else) – Delmo Aug 26 '16 at 23:16
Hi! In my case, google is returning me incorrect refresh token (your point no. 9). My refresh token is starting with "4/". What can be the possible reason behind this? How can i fix it? – user2393886 Dec 24 '16 at 06:56

score 4 · Answer 2 · answered Nov 07 '14 at 00:59

4

The reason of the "Invalid grant" error may be due to the refresh token not working. This could be because When the number of refresh tokens exceeds the limit, older tokens become invalid. If the application attempts to use an invalidated refresh token, an invalid_grant error response is returned.Here is the link for more documentation.

answered Nov 07 '14 at 00:59

SGC

1,025
1
6
6

I'm using valid refresh tokens however I still get this error. – Jack Trowbridge Nov 08 '14 at 14:33

score 3 · Answer 3 · answered Nov 05 '15 at 02:03

3

As everyone is telling you as far as I know that error could be caused by 2 reasons:

Refresh Token is not valid anymore
Refresh Token is wrong - maybe some characters hidden that code is adding somehow.

I had that issue before (same error message) and turns out my Refresh Token got expired.

answered Nov 05 '15 at 02:03

DRQ

33
3

I second this, examine your tokens. I Just spent 4-5 hours on this. The ultimate means of solving it in my case was to closely examine the tokens in my authorization function and compare them to my refresh token function. Turns out they were totally different, which led me to the real issue - that I wasn't loading the stored refresh token from the correct location in persistent storage (it was using an old location and not the correct location, so everything looked ok on the surface, and it masked the issue). – JohnTD Aug 07 '23 at 17:56

score 1 · Answer 4 · answered Oct 18 '17 at 22:06

Google now has a dedicated page in their API guide for this error where it says there are only 2 reasons for this...

Your server's clock is not in sync with network time protocol - NTP.
The refresh token limit has been exceeded.

The limit for each unique pair of OAuth 2.0 client and Google Analytics account is 25 refresh tokens. If the application continues to request refresh tokens for the same Client/Account pair, once the 26th token is issued, the 1st refresh token that was previously issued will become invalid.

score 1 · Answer 5 · answered Oct 01 '22 at 09:55

1

Refresh token need to be use only once, if you are using the same refresh token multiple times you will get an error as well

answered Oct 01 '22 at 09:55

zdravko zdravkin

2,090
19
21

score 0 · Answer 6 · edited Jun 18 '20 at 17:52

0

"invalid_grant" can be due to an expired/invalid refresh token. In my case, it had an extra space too much at the end.

edited Jun 18 '20 at 17:52

Enrico

2,734
1
27
40

answered May 28 '15 at 19:04

Won Jun Bae

5,140
6
43
49

score 0 · Answer 7 · answered Jun 11 '21 at 20:47

Going to add one more item to the list that hasn't been mentioned:

The Refresh Token received from the original request could be URL encoded (eg. "1//..." would be "1%2F%2F...").

Make sure you use a decoded version. If not, you could end up with a double-encoded refresh token sent to the server, resulting in an invalid_grant error.

Using Refresh Token Exception { "error" : "invalid_grant" }'

7 Answers7

Linked