Requesting new Access Token with our Refresh Token Returns : Invalid_grant - bad request

[san...@goshift.com]

Hi,

We manage multiple adwords accounts and have been doing so for some time now without seeing this issue before.

When we request a new access token with the refresh token we have saved for a client:

HTTP METHOD: POST

HEADERS: 'content-type': 'application/x-www-form-urlencoded'

URI: https://accounts.google.com/o/oauth2/token

BODY: grant_type=refresh_token&client_id=<client_id>&client_secret=<client_secret>&refresh_token=<refresh_token>

( We use python and the request is being constructed and sent by - google/oauth2/_client.py._token_endpoint_request() )

We get the following response:

status: 400

{
    "error": "invalid_grant",
    "error_description": "Bad Request"
}

Now if we just redo the OAuth entirely for that client account then everything starts working again - so we can be sure the client has not revoked the refresh token from us. 

Our OAuth code has not changed in a long while and we cant seem to understand what the issue is.

Could you please advise.

Thanks

Sanjay

[san...@goshift.com]

I also read this here (https://developers.google.com/identity/protocols/OAuth2InstalledApp#offline)

Note that there are limits on the number of refresh tokens that will be issued; one limit per client/user combination, and another per user across all clients. You should save refresh tokens in long-term storage and continue to use them as long as they remain valid. If your application requests too many refresh tokens, it may run into these limits, in which case older refresh tokens will stop working.

but not sure what is actually means?

We have a unique refresh token saved for every client we manage.

Thanks

[Milind Sankeshware (AdWords API Team)]

Hi Sanjay,

The "invalid_grant" error usually indicates that the access or refresh token being passed in your request is incorrect or invalid. To verify that your credentials are correct, you could also try the CURL request provided below and see if you are able to generate the access tokens? If the credentials are correct, you should get an access token for the below request.
curl https://www.googleapis.com/oauth2/v4/token \
-d refresh_token=your-refresh_token \
-d client_id=your-client-id \
-d client_secret=your-client-secret \
-d grant_type=refresh_token

If your credentials are incorrect and still facing an issue then could you generate a new refresh token with the help of this guide and retry your request? As per this guide, you will need to create limited refresh token. When the user login exceeds the number of refresh tokens that are generated, the older ones will be invalidated. For instance, when you create the 51st refresh token for a given set of credentials the very first refresh token will be invalidated due to this limit. If you are using the client library to make the API call, you will need to store this refresh token in property file so that client library will generate the access token automatically. Let me know if you have any further questions. 

Thanks,
Milind, AdWords API Team

[san...@goshift.com]

Hi,

We have solved this issue.

As all of our clients link to our Adwords Account MCC, we always OAuth to our MCC.

What we were doing is requesting a new OAuth refresh token every time we setup a new client in our system and saved this refresh token against this client - this meant that we were exceeding the 50 refresh tokens allowed to be issued so the older refresh tokens were becoming expired.

We are now only saving one refresh token per a client is and email combination and using that to login into our MCC.

Thanks

Sanjay