I know a few circumstances where an Refresh Token expires, or becomes invalid:
1. Your software revoked the token <https://developers.google.com/identity/protocols/oauth2/native-app#tokenrevoke>. In other words, your software has a Logout function and that was successfully called. 2. That user went to his Google account settings, Security, and then Manage third party access (direct link <https://myaccount.google.com/permissions>). He saw your OAuth2 client (here called "third party app", clicked on it, and then clicked "Remove Access". 3. The Refresh token expired because it was not used in six months. By usage, it means obtaining an access token using that particular Refresh token. 4. The user granted your OAuth2 client over 50 times access, without logging out in between. For instance, you have a web application storing the refresh token in a cookie, and the user destroys his cookies every now and when. Because of that, he has to log in because the old tokens were never revoked. Now, if you also use that same OAuth2 client in an app, then at one point the refresh token for that app will become invalid. 5. The most likely reason: the requested OAuth2 scope was not limited to adwords, it also contained one or more gmail scopes. In that case, when a user changes his password, all refreshtokens with a gmail scope become invalid. Reasons 2 to 5 are documented at the Google OAuth2 docs <https://developers.google.com/identity/protocols/oauth2#expiration>. A few years ago I noticed that the last reason was incomplete. You get the same results if an Google Analytics token is included. I am not sure if this is still the case, this behaviour has never been officially documented. When you do get to the bottom of it, please post your findings! On Friday, April 10, 2020 at 4:56:53 PM UTC+2, Casual Stone wrote: > Hello. We store refresh tokens per user retrieved after OAUTH 2 > authentication. We use refresh_token to fetch access_token if it is > expired. But recently I noticed that some of our customers get 400 "Bad > Request" "invalid_grant" error. While investigating the issue I noticed > that refresh_token was expired (or broken), but if you authenticate again > you get a new one, and everything starts working again. > So my question — is it possible for refresh_token to be expired? Or Google > just changed recently the way token was generated? Or maybe we > unintentionally corrupted refresh_tokens somehow in our database? > > Kind Regards, > Petro > -- -- =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Also find us on our blog: https://googleadsdeveloper.blogspot.com/ =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ You received this message because you are subscribed to the Google Groups "AdWords API and Google Ads API Forum" group. To post to this group, send email to adwords-api@googlegroups.com To unsubscribe from this group, send email to adwords-api+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/adwords-api?hl=en --- You received this message because you are subscribed to the Google Groups "AdWords API and Google Ads API Forum" group. To unsubscribe from this group and stop receiving emails from it, send an email to adwords-api+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/adwords-api/ded3837b-4e95-42ed-8af9-2d84d5ca50f4%40googlegroups.com.
