Invalid grant when using Token Refresh
4,602 views
Skip to first unread message
jnewm...@gmail.com
Nov 16, 2015, 11:19:01 AM11/16/15
to AdWords API Forum
Hello,
About 3 weeks ago we started seeing this error when we refresh the access token for many random accounts, { "error" : "invalid_grant" }. We never had any problems refreshing access tokens up until now. Also, not all accounts are having problems refreshing their tokens; many refresh just fine. To temporarily fix the issue we have been reauthorizing each account, but other accounts start to have the same problem. The only information I could find on the forum is that the refresh token has manually been revoked, which doesn't make sense to me. I've read through the documentation at "https://developers.google.com/adwords/api/docs/guides/authentication" and it looks like our TokenUrl, AuthUrl and Scope are up to date. Any help is greatly appreciated, thanks.
Get Authorization Code:
https://accounts.google.com/o/oauth2/auth?client_id=XXXXX&redirect_uri=XXXXXX&scope=
Below is an example of the url and parameters we are using to retrieve initial access and refresh token:
https://www.googleapis.com/oauth2/v3/token?code=XXXXXXXXXXXXX&client_id=XXXXXXXXX&client_secret=XXXXXXXXX&grant_type=authorization_code&redirect_uri=XXXXXXXX
Below is an example of the url and parameters we are using to refresh access tokens:
https://www.googleapis.com/oauth2/v3/token?refresh_token=XXXXX&client_id=XXXXX&client_secret=XXXXX&grant_type=refresh_token
About 3 weeks ago we started seeing this error when we refresh the access token for many random accounts, { "error" : "invalid_grant" }. We never had any problems refreshing access tokens up until now. Also, not all accounts are having problems refreshing their tokens; many refresh just fine. To temporarily fix the issue we have been reauthorizing each account, but other accounts start to have the same problem. The only information I could find on the forum is that the refresh token has manually been revoked, which doesn't make sense to me. I've read through the documentation at "https://developers.google.com/adwords/api/docs/guides/authentication" and it looks like our TokenUrl, AuthUrl and Scope are up to date. Any help is greatly appreciated, thanks.
Get Authorization Code:
https://accounts.google.com/o/oauth2/auth?client_id=XXXXX&redirect_uri=XXXXXX&scope=
https://www.googleapis.com/auth/adwords&response_type=code&access_type=offline&approval_prompt=force";Below is an example of the url and parameters we are using to retrieve initial access and refresh token:
https://www.googleapis.com/oauth2/v3/token?code=XXXXXXXXXXXXX&client_id=XXXXXXXXX&client_secret=XXXXXXXXX&grant_type=authorization_code&redirect_uri=XXXXXXXX
Below is an example of the url and parameters we are using to refresh access tokens:
https://www.googleapis.com/oauth2/v3/token?refresh_token=XXXXX&client_id=XXXXX&client_secret=XXXXX&grant_type=refresh_token
Umesh Dengale
Nov 16, 2015, 4:51:21 PM11/16/15
to AdWords API Forum
Hello,
Here is the couple of things that you could check that cause for that error.
- Problem: Refresh tokens can become invalid for a few reasons:
- There is a maximum of 25 refresh tokens that can be valid at a time. If someone gets a 26th refresh token, then the 1st refresh token becomes invalid.
- Refresh tokens can also be manually revoked. If someone left the company, then they might have done so.
- Solution:
- Generate a new refresh token to be sure that it is valid.
- Problem: Your server is not synced time-wise with the Google server.
- Solution: Use NTP to make sure that the server is set to the correct time.
Regards,
Umesh, AdWords API Team.
jnewm...@gmail.com
Nov 17, 2015, 10:47:10 AM11/17/15
to AdWords API Forum
Thanks for the response. I spoke with my supervisor and he said the servers are synced. I dug deeper into our authorization process and we never re-request refresh tokens. We oauth once and refresh the access token if it has expired. Also, we are the only people with access to the accounts and no employees have left in the time period at hand nor did they have access to adwords. Generating a new access and refresh token requires manual intervention and until it is generated our app is broken for the client. When you say a maximum of 25 refresh tokens that can be valid at a time that is per user account correct?
Umesh Dengale
Nov 17, 2015, 4:48:16 PM11/17/15
to AdWords API Forum
Hello,
There is currently a limit of 25 refresh tokens per user account per client. Please check out token expiration section from the Using OAuth 2.0 to Access Google APIs guide for more details.
jnewm...@gmail.com
Nov 20, 2015, 11:08:38 AM11/20/15
to AdWords API Forum
Well that certainly can't be the problem because we don't get new refresh tokens except when we oauth an account. Our process goes as follows: Oauth an account which gives us an access and refresh token. We use the access token till it expires and then use the refresh token to acquire a new access token. If the account starts to show "invalid grant" we oauth again and get a new access and refresh token. This is vicious cycle is causing our app to break for many clients when "invalid grant" occurs.
Josh Radcliff (AdWords API Team)
Nov 20, 2015, 2:29:20 PM11/20/15
to AdWords API Forum
Hi,
Is it possible that you are seeing a large # of invalidated refresh tokens because they have not been used for 6 months?
If that does not explain the invalid grant errors:
1. Could you let me know if this error has occurred again on any accounts where you generated a new refresh token?
2. Once you get an invalid grant error for a given account, are you able to check the status of the grant via https://myaccount.google.com/ -> Connected apps & sites -> Manage apps? I'd be curious to know what you see there in this case. Below is what that page will look like for an account that has granted access to a project named My AdWords Web Project.
Thanks,
Josh, AdWords API Team
jnewm...@gmail.com
Nov 24, 2015, 9:36:00 AM11/24/15
to AdWords API Forum
We have had a couple cases where the account is over a year old so that could be a reason for those. However, we had an account yesterday made and today we go to refresh and it failed with invalid grant. I checked https://myaccount.google.com/ -> Connected apps & sites -> Manage apps and it says we have access to there Google Adwords and we are allowed to manage there adwords campaigns with authorization date of Yesterday, 1:36 PM. As far as I can tell none of the accounts that we have fixed by re-authorizing have had any problems.
Josh Radcliff (AdWords API Team)
Nov 24, 2015, 11:12:53 AM11/24/15
to AdWords API Forum
Hi,
In the case of the account where you confirmed it says you have access, did you retry the request to get a new access token, and if so, how many times and after waiting how long?
Also, just in case it's relevant, could you let me know which client library you're using (if any)?
Thanks,
Josh, AdWords API Team
jnewm...@gmail.com
Nov 24, 2015, 4:35:39 PM11/24/15
to AdWords API Forum
Today we had 2 invalid grants, both authorized yesterday. I did what you said and logged into the account and checked https://myaccount.google.com/ -> Connected apps & sites -> Manage apps. Both had 'has access to manage your AdWords campaigns'.
Starting with the first one, I logged into the account and checked access. After that, I attempted to refresh the access token with the supposedly 'invalid' refresh token and to my surprise it worked fine. Got a new access token and was able to make api calls again. Before I logged in and checked the second account I attempted to refresh the access token, but it failed with 'invalid grant'. So, I logged in and checked if we had access, to no surprise we did. After verifying access I attempted to refresh the access token and again it worked fine, no errors.
In short, both were returning 'invalid grant' and after verifying access both were able to use there refresh tokens to retrieve a new access token; rather than having to re-oauth each. By the way we are using the .Net client library.
jnewm...@gmail.com
Nov 25, 2015, 8:43:17 AM11/25/15
to AdWords API Forum
Just noticed our urls are different then what I posted.
Auth Url:
Token Url:
Josh Radcliff (AdWords API Team)
Nov 25, 2015, 10:22:52 AM11/25/15
to AdWords API Forum
Hi,
Thanks for providing all of those details. Since you found that the tokens that were giving invalid grant eventually worked again, this suggests a temporary issue with generating access tokens. When you encounter these failures, do you wait (with exponential backoff) and retry? I suspect that you'll find that waiting and retrying will fix this in almost all cases.
Regarding the URLs, the Auth Url looks correct, but according to the latest OAuth2 guide, ideally you should use https://www.googleapis.com/oauth2/v3/token to retrieve new access tokens. However, I confirmed that the URL you are using does still work, so I don't think that's the source of this problem.
Thanks,
Josh, AdWords API Team
jnewm...@gmail.com
Nov 30, 2015, 11:09:05 AM11/30/15
to AdWords API Forum
We currently don't have any kind of exponential backoff. Even if we did this would still require manual intervention by logging into the account, which requires a phone number for verification every time (phone number also has a limited number of uses).
Josh Radcliff (AdWords API Team)
Nov 30, 2015, 1:11:27 PM11/30/15
to AdWords API Forum
Hi,
I don't think the fact that you logged into the account actually fixed the issue. I only asked you to perform that manual check to verify that the access had not been revoked from the account.
Since the token request ultimately worked later on, this looks to me like a transient error that eventually goes away, so the retry with exponential backoff would help in that case.
Thanks,
Josh, AdWords API Team
Deepankar Biswas
Nov 22, 2016, 9:44:32 AM11/22/16
to AdWords API Forum
Hi Josh
I am facing this issue and its very strange.
1) The access is very much there and not revoked.
2) I refreshed the token today for my MCC account and it worked for the first time and now again invalid grant.
I took the dump of the AdWords user also and it has all valid data.
Where should I look to fix this?
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OfferGrid. OfferGrid is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto.
Thank you - OfferGrid Networks (P) Ltd.
David B.
Nov 24, 2016, 3:49:51 AM11/24/16
to AdWords API Forum
Hi,
Exactly the same issue since last week. Using the same package/library + credentials to connect on two applications :
- the first one is a cron script that operate spooled operations. Working fine and still ok. It runs every 30mn.
- the second is a web application : it works one time, and then invalid grant too.
This couple of applications has been working for months but the web application is failing since last week.
I'm using this sample code to get a session :
// Generate a refreshable OAuth2 credential
// and can be used in place of a service account.
Credential credential = new OfflineCredentials.Builder()
.forApi(OfflineCredentials.Api.ADWORDS)
.fromFile()
.build()
.generateCredential();
ReportingConfiguration reportingConfiguration
= new ReportingConfiguration.Builder()
.skipReportHeader(false)
.skipColumnHeader(false)
.skipReportSummary(false)
// Enable to allow rows with zero impressions to show.
.includeZeroImpressions(false)
.build();
AdWordsSession session = new AdWordsSession.Builder()
.fromFile()
.withOAuth2Credential(credential)
.withReportingConfiguration(reportingConfiguration)
.build();
- DB.
Exactly the same issue since last week. Using the same package/library + credentials to connect on two applications :
- the first one is a cron script that operate spooled operations. Working fine and still ok. It runs every 30mn.
- the second is a web application : it works one time, and then invalid grant too.
This couple of applications has been working for months but the web application is failing since last week.
I'm using this sample code to get a session :
// Generate a refreshable OAuth2 credential
// and can be used in place of a service account.
Credential credential = new OfflineCredentials.Builder()
.forApi(OfflineCredentials.Api.ADWORDS)
.fromFile()
.build()
.generateCredential();
ReportingConfiguration reportingConfiguration
= new ReportingConfiguration.Builder()
.skipReportHeader(false)
.skipColumnHeader(false)
.skipReportSummary(false)
// Enable to allow rows with zero impressions to show.
.includeZeroImpressions(false)
.build();
AdWordsSession session = new AdWordsSession.Builder()
.fromFile()
.withOAuth2Credential(credential)
.withReportingConfiguration(reportingConfiguration)
.build();
- DB.
Thanet Knack Praneenararat (AdWords API Team)
Nov 24, 2016, 10:54:10 AM11/24/16
to AdWords API Forum
Hello David,
Is it possible for you to regenerate a refresh token and retry?
If you can't, could you please tell me your manager account that you're always using?
Thanks in advance.
Best,
Thanet, AdWords API Team
David B.
Nov 24, 2016, 11:25:04 AM11/24/16
to AdWords API Forum
Hi,
I've just found what was wrong. The script was looking after the ads.properties file in the /root/ folder (which wasn't updated since I get a new refresh token - trying to debug something else ?)
So it looks ok for me right now.
Regards,
David
I've just found what was wrong. The script was looking after the ads.properties file in the /root/ folder (which wasn't updated since I get a new refresh token - trying to debug something else ?)
So it looks ok for me right now.
Regards,
David
Reply all
Reply to author
Forward
0 new messages