1

I have a web server that communicates with an IOS app to get an offline access token/refresh token pair for users. This seemed to be working well until recently when without any code changes, most authentication requests to google started failing. I have been attempting to debug "invalid_grant" errors that occur seemingly non-deterministically. A single user may try to authenticate multiple times with some of the attempts accepted by google and some not. The errors that we are seeing come in the following form (we're using the google java api client):

com.google.api.client.auth.oauth2.TokenResponseException400 Bad Request { "error" : "invalid_grant", "error_description" : "Invalid code." }
at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
at com.google.api.client.googleapis.auth.oauth2.GoogleAuthorizationCodeTokenRequest.execute(GoogleAuthorizationCodeTokenRequest.java:158)

I have tried ensuring that the server we are running this on has a properly synced clock with ntp.

I'm at a bit of a loss here on how to proceed. How would you debug this?

Robert Chu
  • 11
  • 3
  • Have you taken a look at [this question](http://stackoverflow.com/questions/10025698/authentication-on-google-oauth2-keeps-returning-invalid-grant) or [this one?](http://stackoverflow.com/questions/24002970/google-oauth-token-exchange-returns-invalid-code) – Tom Howard Sep 05 '15 at 00:05
  • I haven't looked at those posts specifically, but I'm pretty sure its not re-use of the authorization code since exchanging it for an access token/refresh token pair succeeds sometimes. We are definitely using the access token within 10 minutes (should always be used within 10 seconds). The second post seems to refer to issues with expiring access tokens not offline access/refresh token pairs. To clarify: the issues we're seeing are all when initially exchanging an authentication code for an access/refresh token pair. – Robert Chu Sep 05 '15 at 00:18
  • Oh, I also tried revoking my app's access to my google account through security.google.com to no effect. Still getting `"invalid_grant"` errors. – Robert Chu Sep 05 '15 at 00:20

1 Answers1

0

I was also trying to mitigate this error with java api client and the most possible cause i found was malformed request or invalid username or password.In other words pointing a right password to wrong path(generally happens after editing resources) can also cause it. Also providing significant delay between successive requests sometimes works.

khakishoiab
  • 5,898
  • 2
  • 14
  • 22