GAM Oauth Token Expiration

1,809 views
Skip to first unread message

Ullfig, Roberto Alfredo

unread,
Oct 10, 2017, 10:28:43 AM10/10/17
to google-ap...@googlegroups.com

Hello,

 

So is there a way to get notified in advance when an oauth token is about to expire? I assume that it expired in our case because everything stopped working and I had to set things up again. Thanks!

 

---

Roberto Ullfig - rul...@uic.edu

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 

Jay Lee

unread,
Oct 10, 2017, 10:44:48 AM10/10/17
to google-ap...@googlegroups.com
OAuth refresh tokens don't expire. They can only be:

  • revoked by themselves (e..g "gam oauth revoke" command)
  • revoked by the admin at google.com/myaccount
  • I think there may be something like a 30ish token limit per user so if admin authorized to many external apps, old ones may get revoked. Not 100% on that.
Jay

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/BN3PR05MB265962F8C96D9FD902CE7966B0750%40BN3PR05MB2659.namprd05.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

Ullfig, Roberto Alfredo

unread,
Oct 10, 2017, 12:14:27 PM10/10/17
to google-ap...@googlegroups.com

OK, so any idea how I would I find out what happened? Like a log of revocations? How is Google Apps support for this? Is there a way to get an email when this happens? Also, why is the oauth2.txt file modified throughout the day? That’s the only file in our gam installation that gets modified (other than gamcache files).

 

We were getting these messages when it was working for many months/years:

 

fmt:pb 2017-10-09 18:47:50 22162: info: acctserv.gapps: got new token: XXXXXX exp: 1507594112. (number always the same)

 

Then this happened last night:

 

fmt:pb 2017-10-09 19:33:37 22162: info: acctserv.gapps: running gam to get new token...

fmt:pb 2017-10-09 19:33:53 22162: info: acctserv.gapps: back from gam.

fmt:pb 2017-10-09 19:33:53 22162: info: acctserv.gapps: got new token: XXXXXX exp: 1507599173. (note brand new number)

...

…failed, rc::245 reason=>google error: 401 Unauthorized.

 

Then after I set it all up again and it’s working:

 

fmt:pb 2017-10-10 07:33:53 25183: info: acctserv.gapps: got new token: XXXXXX exp: 1507642370. (same number from then on)

 

exp sure looks like an expiration time to me.

 

---

Roberto Ullfig - rul...@uic.edu

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 

From: google-ap...@googlegroups.com [mailto:google-ap...@googlegroups.com] On Behalf Of Jay Lee
Sent: Tuesday, October 10, 2017 9:44 AM
To: google-ap...@googlegroups.com
Subject: Re: [GAM] GAM Oauth Token Expiration

 

OAuth refresh tokens don't expire. They can only be:

 

  • revoked by themselves (e..g "gam oauth revoke" command)
  • revoked by the admin at google.com/myaccount
  • I think there may be something like a 30ish token limit per user so if admin authorized to many external apps, old ones may get revoked. Not 100% on that.

Jay

On Tue, Oct 10, 2017 at 10:28 AM, Ullfig, Roberto Alfredo <rul...@uic.edu> wrote:

Hello,

 

So is there a way to get notified in advance when an oauth token is about to expire? I assume that it expired in our case because everything stopped working and I had to set things up again. Thanks!

 

---

Roberto Ullfig - rul...@uic.edu

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 

--

You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

 

--

You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

Jay Lee

unread,
Oct 10, 2017, 12:46:18 PM10/10/17
to google-ap...@googlegroups.com
Those aren't GAM logs/messages, where are they coming from?

You can check the admin log in the console to see if they were revoked there but if the actual user revoked them, there's not much you can do to see that.

I'd recommend setting up a dedicated user for GAM, making sure the password is strong and turning 2SV also. The account should only be logged into when making changes to GAM, not be a regular admin.

Jay

--

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.

Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/BN3PR05MB2659F0AE74343E3112070D53B0750%40BN3PR05MB2659.namprd05.prod.outlook.com.

Ullfig, Roberto Alfredo

unread,
Oct 10, 2017, 1:06:04 PM10/10/17
to google-ap...@googlegroups.com

Yes, we do have a dedicated account for this with no logins except for mine this morning to initialize the new token. The Admin log for this account shows a stream of password changes and account creations until a few minutes before authentication started to fail last night. If I search under Reports->Token I see the Authorize event I made from this morning but I don’t see a Revoke event.

 

---

Roberto Ullfig - rul...@uic.edu

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 

From: google-ap...@googlegroups.com [mailto:google-ap...@googlegroups.com] On Behalf Of Jay Lee
Sent: Tuesday, October 10, 2017 11:46 AM
To: google-ap...@googlegroups.com
Subject: Re: [GAM] GAM Oauth Token Expiration

 

Those aren't GAM logs/messages, where are they coming from?

--

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

 

--

You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

Ullfig, Roberto Alfredo

unread,
Oct 10, 2017, 1:08:19 PM10/10/17
to google-ap...@googlegroups.com

Those log messages I showed are probably from our process. Probably just interpretations of the error codes returned from GAM, not sure as I didn’t write that.

 

---

Roberto Ullfig - rul...@uic.edu

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 

From: Ullfig, Roberto Alfredo
Sent: Tuesday, October 10, 2017 12:06 PM
To: google-ap...@googlegroups.com
Subject: RE: [GAM] GAM Oauth Token Expiration

 

Yes, we do have a dedicated account for this with no logins except for mine this morning to initialize the new token. The Admin log for this account shows a stream of password changes and account creations until a few minutes before authentication started to fail last night. If I search under Reports->Token I see the Authorize event I made from this morning but I don’t see a Revoke event.

 

---

Roberto Ullfig - rul...@uic.edu

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 


Sent: Tuesday, October 10, 2017 11:46 AM
To: google-ap...@googlegroups.com

Subject: Re: [GAM] GAM Oauth Token Expiration

 

Those aren't GAM logs/messages, where are they coming from?

--

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.


For more options, visit https://groups.google.com/d/optout.

 

--

You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages