Token Expiration Error

[Zach Dane]

Hello!

When running any command (Sample below), GAM shows as token expired or revoked. I am able to access GAM and run projects when I refresh the token but then it expires again. Typically, this occurs within a few quick GAM jobs. All of the scopes have been authorized and show as Pass. Any ideas or suggestions on how to resolve this? Thanks in advance for your insights!

gam info domain

Traceback (most recent call last):
  File "gam\__main__.py", line 49, in <module>
  File "gam\__main__.py", line 44, in main
  File "gam\__init__.py", line 11570, in ProcessGAMCommand
  File "gam\gapi\directory\domains.py", line 25, in info
  File "gam\gapi\directory\customer.py", line 18, in doGetCustomerInfo
  File "gam\gapi\directory\__init__.py", line 5, in build
  File "gam\__init__.py", line 1003, in buildGAPIObject
  File "gam\__init__.py", line 931, in getValidOauth2TxtCredentials
  File "gam\auth\oauth.py", line 467, in refresh
  File "gam\auth\oauth.py", line 475, in _locked_refresh
  File "google\oauth2\credentials.py", line 302, in refresh
  File "google\oauth2\reauth.py", line 347, in refresh_grant
  File "google\oauth2\_client.py", line 60, in _handle_error_response
google.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', {'error': 'invalid_grant', 'error_description': 'Token has been expired or revoked.'})
[12300] Failed to execute script '__main__' due to unhandled exception!

[Zach Dane]

Removing the OAuth2.txt file and then going to GAM to create oauth temporarily works. 

Does anyone have ideas on how to have the oauth token autorefresh as it should? 

The new, and shortened error, is:  

google.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', {'error': 'invalid_grant', 'error_description': 'Token has been expired or revoked.'})

Thank you all!

[Sergio Alvarez]

This sounds like an internal policy that you have in your admin console, by default you should be able to run GAM without a token expiring. 

[Jay Lee]

Exactly that. It's likely this:

https://support.google.com/a/answer/9368756?hl=en

you can either:

1. turn that setting off.
2. remove Google Cloud Storage from the list of scopes you authorize when creating oauth2.txt
3. deal with the need to recreate oauth2.txt every few hours/days depending on your setting above.

Jay Lee

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/c7d9f49c-0470-49ca-9bfc-e9c133a50d07n%40googlegroups.com.

[Richard Gilbert]

I had this problem (with gam 5.31) back in February and had to reauthenticate after roughly six months.  The oauth2 token just expired again, another six months later.  Having looked at the article above I checked Google Cloud session control and it is set to "Never require reauthentication".

I just take the default set of scopes, most of which I don't need, on the basis that there may be some that I need but don't know I need.  If using a much smaller set of scopes would help I will reduce it if I next have to reauthenticate next February.  I only use gam to manage users, aliases, groups, profiles, OUs and licences.

Thank you -- I am very grateful for the brilliant work of the GAM team.

Richard