Refresh Token for Project revoked after certain period
20,124 views
Skip to first unread message
Martin Dufort
Jan 12, 2021, 11:01:39 AM1/12/21
to Google Cloud Developers
I'm inquiring about the validity of a refresh token for a project which the oAuth Consent Screen publishing status is in "Testing".
Out project is running multiple Cloud Functions to view and book events in the authenticated user primary calendar form externally parsed sources.
The oAuth process is working ok and we are able to insert and view events from the user's calendar without problems for a few days.
However, after a couple of days (around 10) with 3-4 days of non-activity, we are suddenly unable to access the Calendar API with the following error:
google.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', '{\n "error": "invalid_grant",\n "error_description": "Token has been expired or revoked."\n}')
The Cloud Functions are using thye Google Python API library to discover and interact with the Calendar API.We can also confirm that the user (in this case our test user) did not revoke permission to the app and the account password was not changed.
Are there any limitations on the validity of a refresh token for a project where the Oauth Consent screen publishing status is is set "Testing" and the "User Type" set to external ? (see attached screenshot).
We want to rule out any errors from our side that would lead to this condition before deploying our solution.
Thanks
Sohail Alvi
Jan 12, 2021, 8:13:19 PM1/12/21
to Google Cloud Developers
Hello ,
A token might stop working for one of these reasons:
1.) The user has revoked access.
2.) The token has not been used for six months.
3.) The user changed passwords and the token contains Gmail scopes.
4.) The user account has exceeded a certain number of token requests.
There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.There is also a larger limit on the total number of tokens a user account or service account can have across all clients.
By default, OAuth 2.0 access tokens are valid for a maximum of 1 hour (3,600 seconds). However, you can extend the maximum lifetime for these tokens to 12 hours (43,200 seconds). To do so, identify the service accounts that need an extended lifetime for tokens, then add these service accounts to an organization policy that includes the constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint. You can then specify a lifetime up to 43,200 seconds when you create a token for these service accounts [1].
I researched on why token expires and the only thing I was able to find was this article "https://developers.google.com/identity/protocols/OAuth2" [2] that has the following information in regards to token expiration:
A token might stop working for one of these reasons:
1.) The user has revoked access.
2.) The token has not been used for six months.
3.) The user changed passwords and the token contains Gmail scopes.
4.) The user account has exceeded a certain number of token requests.
There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.There is also a larger limit on the total number of tokens a user account or service account can have across all clients.
As you said you have refreshed the access token , then there might be some issues with refresh token per user quota. please check your refresh_token_prefix for the refresh count quota per user [3].
Thank You,
Links:
Martin Dufort
Jan 13, 2021, 1:57:10 PM1/13/21
to Google Cloud Developers
Thanks for the reply.
After reading your response, we have validated a number of things on our side.
Here's the result of that evaluation:
1- Yes we see that the access token is valid for 1 hour. Obtaining new access tokens is working correctly if the current one is expired. This behavior worked for around 10 days.
2- We don't think we can use a service account to extend access token expiration time because our app is not an Internal app but a Public app. Users are not associated to our organization. Please confirm.
3- Validated reasons for not working:
1.) Access has not be revoked
2.) Access token was used 3 days before refresh failure
3.) User did not change password since token issuance
4.) User was only issue one (1) refresh token after the OAuth flow completed successfully. I.E. OAuth flow was executed once before refresh failure
Can you validate internally there is something specific about the ClientID / Oauth Consent Screen being in Testing mode versus Production ?
Thanks
Sohail Alvi
Jan 14, 2021, 3:05:16 PM1/14/21
to Google Cloud Developers
Hello ,
Thank you for your feedback, I researched internally and I don't find and any major reported or failure against ClientID / Oauth Consent Screen issue. You issue seems like some local configurations issue and if you want you can open and Issue tracker [1] to investigate by our product engineering.
Thank you,
Martin Dufort
Feb 9, 2021, 9:34:52 AM2/9/21
to Google Cloud Developers
Just to close this thread. Now the documentation here [1] is stating this:
- A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
That statement was not there when this post was initiated...
Reply all
Reply to author
Forward
0 new messages