11

As of yesterday, my application is able to authenticate with google (youtube) via oAuth 2.0 the first time no problem but the 2nd time (re-authentication, same app + same user), when I exchange the requestToken for an accessToken I get an error:

error : invalid_grant

I'm using:

grant_type = authorization_code

like they suggest. What used to happen, before 2 days ago, was on re-authentication the web page would say 'you've already authenticated with this application before, would you like to grant it access again?'. What has changed or what could I be doing wrong?

John Conde
  • 207,509
  • 96
  • 428
  • 469
Shizam
  • 9,507
  • 8
  • 47
  • 81
  • 1
    I am having the same problem, I am trying to refresh the token [link](http://code.google.com/apis/accounts/docs/OAuth2WebServer.html#offline) – Andrew Leafe Dec 08 '11 at 16:37
  • 1
    In the mean time I've found a work-around. You can pass a parameter 'approval_prompt=force' to the authorize url and it will _always_ prompt the user to authorized your app, even if they've authorized it in the past. So they'll never get the 'you've already authorized this app before' page but apparently thats not working anymore anyway. More information here: https://code.google.com/apis/accounts/docs/OAuth2WebServer.html#formingtheurl – Shizam Dec 08 '11 at 17:48
  • We're also having this issue. – EricP Dec 08 '11 at 18:05

2 Answers2

11

I found a way to fix this (at least for us). When redirecting to the accounts.google.com/o/oauth2/auth url, we had to add both approval_prompt=force and access_type=offline. If one was missing, we got no refresh token.

This url documents all of the parameters, but says nothing about the refresh token: http://code.google.com/apis/accounts/docs/OAuth2WebServer.html

EricP
  • 3,206
  • 2
  • 29
  • 45
  • Aw man thats brutal, I didn't notice no refresh_token was being given, I wonder what user's reactions will be to the 'offline' notice that they're agreeing to :p – Shizam Dec 09 '11 at 04:39
  • So I came to this same 'brutal' conclusion, and am now trying to exchange the refresh_token.. for a new one `grant_type=refresh_token` However I still get the same error identified above. – Andrew Leafe Dec 10 '11 at 13:08
  • So for my understanding...the only way around this is to keep asking users for permission each time they want to log into your app??? – Fer Dec 12 '11 at 10:40
  • No, we don't have to ask the user for re-auth every time. We save the refresh token on our server and use it to request a new access token behind the scenes. Without the fix I described above, YouTube had stopped giving us a refresh token. – EricP Dec 12 '11 at 20:44
2

I think I may have found the answer here:

https://groups.google.com/forum/#!searchin/oauth2-dev/invalid_grant/oauth2-dev/eaOa6THER0k/z4eO-taUFxgJ

The problem was that that the "code" parameter that you need to send needs to be encoded. It will work when you set the approval_prompt to force because the return code contains URL-safe characters. However, this is not the case for the return code upon a second authorization request.

For me this fixed it, I hope it does for you as well.

Fer
  • 3,794
  • 13
  • 52
  • 98
  • 2
    Nobody knows why Google APIs through invalid_grant error. In my case, the code works just fine for most users but Google throws invalid_grant for some users. Google APIs don't provide any better explanation. I looked into Google documentation, no clear answer. – Allen King Jan 24 '15 at 00:03