Widespread OAuth issues in several apps script tools.

[Spencer Easton]

My team is seeing some breaking issues in Apps Script managed OAuth services. It seems certain users can get into a state where the google managed token is invalid. 

2)  Requests to Apps Script services such as `AdminDirectory.Users.get` on some users are getting:

Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project 3) ScriptApp.getOAuthToken() is returning invalid OAuth token for those certain users.  I have verified this with: 
https://www.googleapis.com/oauth2/v3/tokeninfo 


It seems to have started around mid June. The 17th is the first we see it in the logs. It was slow at first but we are starting to pick up trouble tickets more and more now. 

[꼬깔콘]

I received the item a few days later, thank you for your kindness.

2025년 7월 10일 (목) 오전 4:20, Spencer Easton <spe...@easton-consulting.com>님이 작성:

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-script-community/771d0b2f-60af-4eb3-952e-89a3d33edc0dn%40googlegroups.com.

[Google Pony]

Hi Spencer,

Thank you for raising this important issue. OAuth token problems can indeed be disruptive, especially when they affect multiple users. Based on the symptoms you've described, here are some steps to diagnose and potentially resolve the issue:

1. Immediate Workarounds

Token Refresh: The invalid OAuth token suggests a possible refresh token issue. You can try forcing a token refresh by:

ScriptApp.invalidateAuth();

This will prompt users to re-authorize the application the next time it runs.

Service Account Fallback: If you're using advanced services, consider switching to a service account with domain-wide delegation for more reliable access (though this requires admin setup).

2. Verify the OAuth Scopes

Ensure your script has the correct scopes declared in the manifest (`appsscript.json`). For `AdminDirectory.Users.get`, you need:

"oauthScopes": [

  "https://www.googleapis.com/auth/admin.directory.user.readonly"

]

Missing or outdated scopes can cause token failures.

3. Check for Google-Side Issues

The timing (mid-June) suggests a possible change in Google's OAuth policies or a service disruption. Check the [Google Workspace Status Dashboard](https://www.google.com/appsstatus) for any ongoing incidents.

Review the [OAuth token audit logs](https://console.cloud.google.com/apis/credentials/oauthclient) in your Google Cloud Project to see if tokens are being revoked unexpectedly.

4. Debugging ScriptApp.getOAuthToken()

If ScriptApp.getOAuthToken() returns invalid tokens:

Add logging to verify the token's validity before use:

const token = ScriptApp.getOAuthToken();

const response = UrlFetchApp.fetch("https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=" + token);

Logger.log(response.getContentText());

If the token is consistently invalid, reauthorize the script by visiting:

https://script.google.com/macros/s/<SCRIPT_ID>/exec?authMode=full

5. Long-Term Solutions

Implement OAuth Error Handling: Wrap API calls in try-catch blocks and handle `401` errors by refreshing tokens or notifying users to reauthorize.

Migrate to Cloud Identity-Aware Proxy (IAP): For web apps, IAP can simplify authentication.

If the issue persists, please share:

The exact error payload from `tokeninfo`.

Whether affected users are in the same organization or across domains.

Any recent changes to the script or Google Cloud Project.

This will help narrow down whether it's a scope, token lifecycle, or Google-side issue.

Sincerely yours,

Sandeep Kumar Vollala

Consultant