solotherm solotherm - 18 days ago 10
PHP Question

Error refreshing the OAuth2 token @ Google_CalendarServices (php)

i know there are many similar questions, where the 'invalid_grant' is the only 'answer' we got from google api, but all them are old, or discussing different ways of getting to the same message.

The weird part is, that this 'thing' only stopped working for 2 days ago. In our CRM we book meetings into GoogleCalendars associated with our GoogleAccount. Now in the last 2 days we are experiencing problems, never happend before.

The application fails like this:

Fatal error:  Uncaught exception 'Google_AuthException' with message 'Error refreshing the OAuth2 token, message: '{"error" : "invalid_grant";}

Stack trace:

#0 /path/to/plugins/google-api-php-client/src/auth/Google_OAuth2.php(240): Google_OAuth2->refreshTokenRequest(Array)
#1 /path/to/plugins/google-api-php-client/src/auth/Google_OAuth2.php(217): Google_OAuth2->refreshToken('1/ourtoken...')
#2 /path/to/plugins/google-api-php-client/src/service/Google_ServiceResource.php(167): Google_OAuth2->sign(Object(Google_HttpRequest))
#3 /path/to/plugins/google-api-php-client/src/contrib/Google_CalendarService.php(494): Google_ServiceResource->__call('insert', Array)


This is the actual http answer:


Google_HttpRequest Object
(
[batchHeaders:Google_HttpRequest:private] => Array
(
[Content-Type] => application/http
[Content-Transfer-Encoding] => binary
[MIME-Version] => 1.0
[Content-Length] =>
)

[url:protected] => https://accounts.google.com/o/oauth2/token
[requestMethod:protected] => POST
[requestHeaders:protected] => Array
(
[content-type] => application/x-www-form-urlencoded
[content-length] => 196
)

[postBody:protected] => client_id=111111111.apps.googleusercontent.com&client_secret=secretSECTRETsecretSECRET&refresh_token=1%2FveryLONGtokenSTRINGhafbuaADDFR&grant_type=refresh_token
[userAgent:protected] => Google Calendar PHP Starter Application google-api-php-client/0.6.0
[responseHttpCode:protected] => 400
[responseHeaders:protected] => Array
(
[content-type] => application/json; charset=utf-8
[cache-control] => no-cache, no-store, max-age=0, must-revalidate
[pragma] => no-cache
[expires] => Mon, 01 Jan 1990 00:00:00 GMT
[date] => Thu, 10 Nov 2016 01:05:15 GMT
[x-content-type-options] => nosniff
[x-frame-options] => SAMEORIGIN
[x-xss-protection] => 1; mode=block
[server] => GSE
[alt-svc] => quic=":443"; ma=2592000; v="36,35,34"
[accept-ranges] => none
[vary] => Accept-Encoding
[transfer-encoding] => chunked
)

[responseBody:protected] => {
"error" : "invalid_grant"
}
[accessKey] =>
)


Yes we are using an older version not anything new. Yes the account is live, the calendar into which we are trying to insert is existing. No privileges or passwords were changed/reset. We tried all our calendars - no success at all. And i tried also some minor changes/hacks I found here like not using developer key, set access type to offline, synchronizing server time and so on...

Actually we did nothing with the whole thing before it broke. So there is one question: did Google changed something in the behaviour/code or something? Or did we miss something (like deprecated/deleted functions)?

EDIT #1

One of my colleges did change something in fact. (More on that at the end of edit section)

So we have one 'main' google account, wit developer key and clientid and everything -> and this account also has 1 calendar.

Than we have multiple other google accounts for our co-workers. We have grants from main calendar to their calendars and vice-versa. In our CMS we try to add an event (hence insert on Google_CalendarService) to one of the co-workers calendar.

So one of our co-workers quit the job, and my college change HIS password. And removed grants. Well it happend Monday at 16:00 and Tuesday morning we got the first error. Could this one google account's change affect the behaviour of all other, resp. the behaviour of the main calendar account???

-- end of EDIT #1

If anyone experienced something similar like this and managed to fix, please give some advise. Thank you!

Answer

Good news everyone (who cares at all)!

After endless digging and try&fails, I found out that google had in fact blocked our old access token. Maybe it was the password change and grant removal from our side, maybe it was the ex-co-workers attempt to revoke or reset something, not sure. But the token was not active anymore.

After some small challanges with the Oauth2 Playground I've set up a connection with our API credentials, and got the new connection preferences (new access token and new refresh tokens)

Special thanks and a big shout out to @DaImTo for pointing out, that it's probably the inactive/old token what is causing this issue.

@Google: please add meaningful error messages and error descriptions, it will be much cooler to lose some minutes to hours as 2-3 days to solve 'minor' but critical issues like this one!

I hope this post will help someone once in the future. Peace!

Comments