OAuth2.0 token strange behaviour (Invalid Credenti

2019-01-21 19:26发布

站内问答 / 前端开发
1923 10 5

Usually, Google OAuth2.0 mechanism is working great.

  1. The user confirms permission to access Google account with selected scopes.
  2. The refresh token is retrieved and saved to long time storage.
  3. Each time needed (if the access token expired) access token is retrieved and used to access APIs.

But sometimes (thus far only two times for more than 6 months) I've experienced strange behaviour:

Requests to Google APIs return Invalid Credentials (401) error. Refreshing the access token (using the stored refresh token) does not help.

Here is some structured output I've got when testing this issue:

    + ------------------------------------------------------------------------- + 
    | 1.TRYING TO REFRESH THE TOKEN.                                            |
    | 2.DONE REFRESHING THE TOKEN.                                              |
    + ------------------------------------------------------------------------- + 
    |    access:           **************************************************** | 
    |   refresh:                  ********************************************* | 
    |   expires:                                                           3600 | 
    |   created:                                            2013-07-23 13:12:36 | 
    + ------------------------------------------------------------------------- +

I've also tried to verify the "fresh" access token by sending requests to https://www.googleapis.com/oauth2/v1/tokeninfo

    + ------------------------------------------------------------------------- + 
    | 1. TRYING TO CHECK THE TOKEN .                                            |
    | 2. DONE CHECKING THE TOKEN THE TOKEN.                                     |
    + ------------------------------------------------------------------------- + 
    |       issued_to:                  ************.apps.googleusercontent.com |
    |        audience:                  ************.apps.googleusercontent.com |
    |         user_id:                                             ************ |
    |      expires_in:                                                     3600 |
    |           email:                                     **********@gmail.com |
    |  verified_email:                                                        1 |
    |     access_type:                                                  offline |
    |         scopes::                                                          |
    + ------------------------------------------------------------------------- + 
    | https://www.googleapis.com/auth/userinfo.email                            |
    | https://www.googleapis.com/auth/userinfo.profile                          |
    | https://www.googleapis.com/auth/plus.me                                   |
    | https://www.googleapis.com/auth/drive                                     |
    + ------------------------------------------------------------------------- +

But when I try to access drive feed the response is:

    Error calling GET https://www.googleapis.com/drive/v2/files (401) Invalid Credentials

    domain:         global
    reason:         authError
    message:        Invalid Credentials
    locationType:   header
    location:       Authorization

We also experienced the same issue with calendars. So:

  1. Token was valid before (everything worked).
  2. Refreshing token still works.
  3. Requesting a feed responds with "Invalid Credentials" error.
  4. All the other tokens are still working great, meaning that the code is valid.

Normally when the token is revoked "invalid_grant" error is returned when trying to refresh the token.

Questions

  1. What can be the reason for this behaviour? If the refresh token was revoked or got invalid in some other way, should the request for new access token produce error?
  2. Is there a way to validate the refresh token?

10条回答
ら.Afraid
2楼-- · 2019-01-21 19:46

Maybe this behavior is due to a limitation which Google describes as follows:

There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.

There is also a larger limit on the total number of tokens a user account or service account can have across all clients. Most normal users won't exceed this limit but a developer's test account might.

查看更多
0人赞 添加讨论(0) 举报
霸刀☆藐视天下
3楼-- · 2019-01-21 19:47

I'm on Development environment. I had this problem too.

First I tried refreshing the credentials. No result. Then I deleted my app (since I'm still on development enviroment, that was ok, but BE CAREFUL WITH THIS ACTION if you're already using this on production), created a new one, updated the credentials JSON on the client... still, no result.

I solved it by opening on a new browser instance which wasn't logged in my Google Account (Private Browsing, since I'm on Firefox), logged on my Google Account once again, and tried using my client (which is a Web Application). I was redirected to the authorization screen as expected and after that, it worked fine for me.

查看更多
0人赞 添加讨论(0) 举报
我想做一个坏孩纸
4楼-- · 2019-01-21 19:51

clearing storage in Google Chrome worked for me (don't know all the details of what 'Clear storage' is clearing):

  1. F12 (Ctrl+Shift+I)
  2. Application Tab
  3. Clear storage
查看更多
0人赞 添加讨论(0) 举报
放荡不羁爱自由
5楼-- · 2019-01-21 19:56

I had this problem when I tried experimenting with changing the redirect url in google console and then updating my json credentials file on server. I had to clear the session variables before starting afresh. So in your project just do this once:

session_start(); //starts a session
session_unset(); //flushes out all the contents previously set

Remember to remove the session_unset() after dry running it once.

查看更多
0人赞 添加讨论(0) 举报
上一页 1 2
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)