GAM Re-authentication / Token Expired
1,312 views
Skip to first unread message
Rocky Borrego
Sep 27, 2022, 8:22:30 PM9/27/22
to GAM for Google Workspace
Hi,
I know this has been asked multiple times. But I still cannot get it to work, and am now thinking there is no way to avoid having to re-authenticate from time to time.
I have 'Google Cloud session control' set to 'Never require reauthentication'
I also have 'App Access Control' and added the app ID and set to 'Trusted'
I authenticate via the admin user and everything works. Then a few months later I get the bellow error and have to re-authenticate to get GAM working again:
Traceback (most recent call last):
File "gam/__main__.py", line 49, in <module>
File "gam/__main__.py", line 44, in main
File "gam/__init__.py", line 11756, in ProcessGAMCommand
File "gam/__init__.py", line 9733, in doPrintUsers
File "gam/__init__.py", line 1078, in buildGAPIObject
File "gam/__init__.py", line 1006, in getValidOauth2TxtCredentials
File "gam/auth/oauth.py", line 477, in refresh
File "gam/auth/oauth.py", line 485, in _locked_refresh
File "google/oauth2/credentials.py", line 302, in refresh
File "google/oauth2/reauth.py", line 347, in refresh_grant
File "google/oauth2/_client.py", line 62, in _handle_error_response
google.auth.exceptions.RefreshError: ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'})
[28599] Failed to execute script '__main__' due to unhandled exception!
File "gam/__main__.py", line 49, in <module>
File "gam/__main__.py", line 44, in main
File "gam/__init__.py", line 11756, in ProcessGAMCommand
File "gam/__init__.py", line 9733, in doPrintUsers
File "gam/__init__.py", line 1078, in buildGAPIObject
File "gam/__init__.py", line 1006, in getValidOauth2TxtCredentials
File "gam/auth/oauth.py", line 477, in refresh
File "gam/auth/oauth.py", line 485, in _locked_refresh
File "google/oauth2/credentials.py", line 302, in refresh
File "google/oauth2/reauth.py", line 347, in refresh_grant
File "google/oauth2/_client.py", line 62, in _handle_error_response
google.auth.exceptions.RefreshError: ('invalid_grant: Bad Request', {'error': 'invalid_grant', 'error_description': 'Bad Request'})
[28599] Failed to execute script '__main__' due to unhandled exception!
Now, I now that I can run: gam oauth delete and gam oauth create to get back in. But my issue is that I manage the domains for multiple clients. I do not have an admin account on their systems. So each time I have to bug them and call their admin, send them the new URL and get the code back from them.
Is there something I am doing wrong?
p.s. On another related issue, starting about 6 months ago, instead of getting a code after they approve the access, my clients are saying they get a:
This site can’t be reached
127.0.0.1 refused to connect.
Try:
- Checking the connection
- Checking the proxy and the firewall
ERR_CONNECTION_REFUSED
So I have to ask them to get me the URL instead.
Any suggestions would be greatly appreciated.
Rocky Borrego
Sep 30, 2022, 1:17:19 PM9/30/22
to GAM for Google Workspace
Bump...
Sergio Alvarez
Sep 30, 2022, 2:40:20 PM9/30/22
to GAM for Google Workspace
Hi Rocky,
Looking at the error, if session control does not expire I believe that the problem could be related with password expiration. If you change the Google password, all tokens created for that user will expire. More information here:
To check if this is the problem try out changing your password, if the token does provide the same error, you would need to ask your administrators for an exclusion on password expiration
Kim Nilsson
Oct 2, 2022, 7:08:43 AM10/2/22
to GAM for Google Workspace
Hi, Rocky.
The 127.0.0.1 error is because of the new process to verify.
The instructions for the new process is that they have to copy and paste the URL from the omnibox to you, so you can paste it in your terminal.
the 127.0.0.1 URL is very long, and includes the variables that you need to auth in your terminal.
Kim Nilsson
Oct 2, 2022, 7:13:54 AM10/2/22
to GAM for Google Workspace
Hi again, Rocky.
Yeah, if password expiration is the cause, you should tell you clients to stop doing that.
It's been over five years since NIST publicly apologised for ever suggesting that dumb idea.
It's been verified time and time again that regular password expiration in ordinary situations/organisations only decrease security.
NIST's new policy is much easier, and basically only has two rules.
New pass-phrases (not pass-words, semantics, I know, but it matters) should be looooong, and only compromised credentials should be replaced.
The second rule, of course, requires you to make sure people aren't using compromised passwords.
Rocky Borrego
Oct 4, 2022, 4:39:10 PM10/4/22
to google-ap...@googlegroups.com
Sergio,
Interesting. I was not aware that if the password changed, the token would expire. I ran a test where I generated a token and verified it with GAM. Then I reset the password on the user account and tested GAM. It has been 2 days now and I still have access to GAM. In my case, I changed the password and was able to maintain access.
Anybody else run into this? In a way I wish it was the case of a changed password causing the token to expire. I can work around that. But it is still a mystery to me why sometimes it expires and others it does not. It almost seems like after a certain amount of time, it just expires. Even though I have it set to not have any expiration on tokens or user passwords.
Rocky
--
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/gMFrTGG-Y74/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/1ec78d8e-2414-4b4d-a1fc-60edf21c0fcan%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages