{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 疯言疯语 的问题《OAuth2.0 token strange behaviour (Invalid Credenti》','https://www.manongdao.com/q-186817.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Usually, Google OAuth2.0 mechanism is working great.
- The user confirms permission to access Google account with selected scopes.
- The refresh token is retrieved and saved to long time storage.
- Each time needed (if the access token expired) access token is retrieved and used to access APIs.
But sometimes (thus far only two times for more than 6 months) I've experienced strange behaviour:
Requests to Google APIs return Invalid Credentials (401) error. Refreshing the access token (using the stored refresh token) does not help.
Here is some structured output I've got when testing this issue:
+ ------------------------------------------------------------------------- +
| 1.TRYING TO REFRESH THE TOKEN. |
| 2.DONE REFRESHING THE TOKEN. |
+ ------------------------------------------------------------------------- +
| access: **************************************************** |
| refresh: ********************************************* |
| expires: 3600 |
| created: 2013-07-23 13:12:36 |
+ ------------------------------------------------------------------------- +
I've also tried to verify the "fresh" access token by sending requests to https://www.googleapis.com/oauth2/v1/tokeninfo
+ ------------------------------------------------------------------------- +
| 1. TRYING TO CHECK THE TOKEN . |
| 2. DONE CHECKING THE TOKEN THE TOKEN. |
+ ------------------------------------------------------------------------- +
| issued_to: ************.apps.googleusercontent.com |
| audience: ************.apps.googleusercontent.com |
| user_id: ************ |
| expires_in: 3600 |
| email: **********@gmail.com |
| verified_email: 1 |
| access_type: offline |
| scopes:: |
+ ------------------------------------------------------------------------- +
| https://www.googleapis.com/auth/userinfo.email |
| https://www.googleapis.com/auth/userinfo.profile |
| https://www.googleapis.com/auth/plus.me |
| https://www.googleapis.com/auth/drive |
+ ------------------------------------------------------------------------- +
But when I try to access drive feed the response is:
Error calling GET https://www.googleapis.com/drive/v2/files (401) Invalid Credentials
domain: global
reason: authError
message: Invalid Credentials
locationType: header
location: Authorization
We also experienced the same issue with calendars. So:
- Token was valid before (everything worked).
- Refreshing token still works.
- Requesting a feed responds with "Invalid Credentials" error.
- All the other tokens are still working great, meaning that the code is valid.
Normally when the token is revoked "invalid_grant" error is returned when trying to refresh the token.
Questions
- What can be the reason for this behaviour? If the refresh token was revoked or got invalid in some other way, should the request for new access token produce error?
- Is there a way to validate the refresh token?
I resolved this problem when I removed files json in c:\Users\[user]\.credentials.
I recently experienced this weird error. My fix: I put the function that unsets all of the sessions before redirecting to AuthUrl.
I received
(401) Invalid Credentialswhen I removed the access to my Google Account for the particular app. So what I had to do was to request the authorization URL (the one which starts withhttps://accounts.google.com/o/oauth2/auth), again.Per the Google API docs on errors & error codes:
https://developers.google.com/drive/handle-errors#401_invalid_credentials
This matches your version of the error exactly, and so is very probably what Google thinks is wrong with your request.
But, as you well know, Google API requests can return errors that are distinctly unhelpful to actually diagnosing the problem. I have gotten "Invalid Credentials" errors for a number of reasons. It is almost always really because I have made some sort of change that I thought would not matter, but really does.
My first thought (shot in the dark here) would be to go to the Google API console:
https://code.google.com/apis/console
Googles auth token verifier ( https://www.googleapis.com/oauth2/v1/tokeninfo ) can return a valid response, but maybe the client secret or client id will have been changed.
Even tiny changes in the response body can also cause this error.
I don't know how you are making requests, whether by REST calls or a client lib, but I use the ruby lib which allows a command line interface to making API calls. I have found this & the OAuth2 Playground very helpful in diagnosing Google API calls.
Just an FYI: I have only gotten 2 errors from the Google API: "Invalid Credentials" and "Insufficient Permissions". The latter has almost always had to do with bad scopes. The former is just about everything else.
I would also say that if you have only experienced 2 errors in 6 months, you are lucky!
I ran into this same problem when I needed to change my scopes from Read Only to Read And Write All Files. So, I updated my scopes from at the top of my file from Read Only to:
Google, from their API guide, has these comments that say whenever you change scopes, you must update credentials. I believe this means, although I am not certain, that the token must be updated. The old token is still held by Google and it thought that I only had Read Only access, hence why it would return a 401 error. So, I need to remake my token, but Google never offered a new consent screen that would allow me to say allow Read And Write To All Files. So, I needed to get that screen to come up again, so it would create a new token to replace the old one:
Since I already had a saved token, it was never creating a new one. So, I just commented out the using of the old token and told it to get a new token, no matter if we have one or not. Then, I went to my Connected Apps in Google and deleted my old connecting credential. I'm not sure if this step is necessary, but I am only trying to access my personal account. Then, when I ran my program, it prompted me to re-authenticate, and everything worked and I did not receive an authentication error. Once done, make sure to remove the commented out lines for using already made tokens. I was using the Google API quickstart.js file for all of this.
So, when I updated my scopes, the old token was still using the Read Only scope, therefore I would get (401) Invalid Credentials.
I had the same problem with this error:
But found this very simple solution by abhishek77in here:
https://coderwall.com/p/fmr5ag/avoid-invalid-credentials-with-google-oauth2
The solution is:
Enabling these in the Google API console fixed the "Invalid credentials" problem for me.