Google AdWords API 400 "Bad Request" "invalid_grant" error: is it possible for refresh_token to be expired?

[Casual Stone]

Hello. We store refresh tokens per user retrieved after OAUTH 2 authentication. We use refresh_token to fetch access_token if it is expired. But recently I noticed that some of our customers get 400 "Bad Request" "invalid_grant" error. While investigating the issue I noticed that refresh_token was expired (or broken), but if you authenticate again you get a new one, and everything starts working again.

So my question — is it possible for refresh_token to be expired? Or Google just changed recently the way token was generated? Or maybe we unintentionally corrupted refresh_tokens somehow in our database?

Kind Regards,

Petro

[Google Ads API Forum Advisor Prod]

Hi Petro,

As mentioned in this documentation, refresh tokens do not expire. In order for me to further investigate what has caused your issue, kindly provide your client customer ID and complete detailed request and response logs. Please ensure that you "Reply privately to author" when providing this information,

Thanks,
Danica Calusin, Google Ads API Team

ref:_00D1U1174p._5001UZXKqw:ref

[Zweitze]

I know a few circumstances where an Refresh Token expires, or becomes invalid:

1. Your software revoked the token. In other words, your software has a Logout function and that was successfully called.

2. That user went to his Google account settings, Security, and then Manage third party access (direct link). He saw your OAuth2 client (here called "third party app", clicked on it, and then clicked "Remove Access".

3. The Refresh token expired because it was not used in six months. By usage, it means obtaining an access token using that particular Refresh token.

4. The user granted your OAuth2 client over 50 times access, without logging out in between. For instance, you have a web application storing the refresh token in a cookie, and the user destroys his cookies every now and when. Because of that, he has to log in because the old tokens were never revoked. Now, if you also use that same OAuth2 client in an app, then at one point the refresh token for that app will become invalid.

5. The most likely reason: the requested OAuth2 scope was not limited to adwords, it also contained one or more gmail scopes. In that case, when a user changes his password, all refreshtokens with a gmail scope become invalid.

Reasons 2 to 5 are documented at the Google OAuth2 docs.

A few years ago I noticed that the last reason was incomplete. You get the same behaviour if a Google Analytics scope is included. I am not sure if this is still the case, this behaviour has never been officially documented.

When you do get to the bottom of it, please post your findings!

[Google Ads API Forum Advisor Prod]

Hello,

I am checking on this internally within the team and will provide you with updates once we have more insight.

[Google Ads API Forum Advisor Prod]

Hello,

Unfortunately, my team doesn't have any insight into why a refresh token may have been revoked. If it stopped working unexpectedly, it's most likely because the user either revoked it or generated a new one for some other purpose which brought them over the limit of maximum simultaneous refresh tokens.

If you're using a flow where users have to sign in to access their account through your service (which is what it sounds like, based on your description), you should just build in a way for them to re-authenticate if things go wrong.

Regards,
Mike, Google Ads API Team

ref:_00D1U1174p._5001UZXKqw:ref