invalid_grant trying to get oAuth token from google

by

Although this is an old question, it seems like many still encounter it – we spent days on end tracking this down ourselves.

In the OAuth2 spec, “invalid_grant” is sort of a catch-all for all errors related to invalid/expired/revoked tokens (auth grant or refresh token).

For us, the problem was two-fold:

  1. User has actively revoked access to our app
    Makes sense, but get this: 12 hours after revocation, Google stops sending the error message in their response:
    “error_description” : “Token has been revoked.”
    It’s rather misleading because you’ll assume that the error message is there at all times which is not the case. You can check whether your app still has access at the apps permission page.

  2. User has reset/recovered their Google password
    In December 2015, Google changed their default behaviour so that password resets for non-Google Apps users would automatically revoke all the user’s apps refresh tokens. On revocation, the error message follows the same rule as the case before, so you’ll only get the “error_description” in the first 12 hours. There doesn’t seem to be any way of knowing whether the user manually revoked access (intentful) or it happened because of a password reset (side-effect).

Apart from those, there’s a myriad of other potential causes that could trigger the error:

  1. Server clock/time is out of sync
  2. Not authorized for offline access
  3. Throttled by Google
  4. Using expired refresh tokens
  5. User has been inactive for 6 months
  6. Use service worker email instead of client ID
  7. Too many access tokens in short time
  8. Client SDK might be outdated
  9. Incorrect/incomplete refresh token

I’ve written a short article summarizing each item with some debugging guidance to help find the culprit. Hope it helps.

More Related Contents:

  1. How do I authorise an app (web or installed) without user intervention?
  2. What are the alternatives now that the Google web search API has been deprecated? [closed]
  3. This IP, site or mobile application is not authorized to use this API key
  4. Getting Google+ profile picture url with user_id
  5. How do I add/create/insert files to Google Drive through the API?
  6. Do Google refresh tokens expire?
  7. Google Speech Recognition API Result is Empty
  8. Google image search says api no longer available
  9. Is there already a Google+ API? [closed]
  10. Restrict Login Email with Google OAuth2.0 to Specific Domain Name
  11. Error: ‘The project id used to call the Google Play Developer API has not been linked in the Google Play Developer Console.’
  12. Lookup City and State by Zip Google Geocode Api [closed]
  13. google plus api: “insufficientPermissions” error
  14. Google Sheets API returns “The caller does not have permission” when using server key
  15. vertical reference line in google timeline visualization
  16. Migrating 50TB data from local Hadoop cluster to Google Cloud Storage
  17. Google Contacts API vs People API
  18. Getting a 403 – Forbidden for Google Service Account
  19. Google Video no longer able to retrieve captions?
  20. Youtube video uploads rejected before API quota limit reached
  21. Error: invalid_client no application name
  22. Is there a Google Keep API? [closed]
  23. processingFailure error (400) while retrieving CommentThreads list
  24. Google API to get impressions of youtube videos?
  25. Where can I get Google developer key
  26. What is the fastest way to update a google spreadsheet with a lot of data through the spreadsheet api?
  27. get_video_info YouTube endpoint suddenly returning 404 not found
  28. UNREGISTERED_ON_API_CONSOLE while getting OAuth2 token on Android
  29. Google API Client “refresh token must be passed in or set as part of setAccessToken”
  30. Access to Google API – GoogleAccountCredential.usingOAuth2 vs GoogleAuthUtil.getToken()

Leave a Comment