IssueTracker

To help us understand the issue, please ensure you have provided a minimal code example that reproduces the problem, including the API calls, errors, and responses you're seeing.

Generated Metadata

• Summary: The developer is encountering an issue where refresh tokens for their Google Forms app are expiring unexpectedly after a short period (40-60 minutes), resulting in "invalid_grant" errors when attempting to refresh access tokens. It appears to be affecting multiple users and persists even after re-authorization.
• Tags:
  • apps-script
  • refresh-token
  • invalid-grant
  • oauth
  • google-forms

Additional resources:

• https://stackoverflow.com/.../google-ads-api-with-google-apps-script-no-ac...
• https://stackoverflow.com/.../how-to-log-the-error-oauth2-for-google-apps-...
• https://stackoverflow.com/.../obtain-access-token-to-docusign-using-google...
• https://stackoverflow.com/.../how-can-i-reauthorize-dvc-with-google-drive-...
• https://stackoverflow.com/.../managing-google-sheets-api-refresh-token

You can subscribe to this issue by clicking the star ⭐ button.

Its not a code issue.

We are having an issue with refresh_tokens expiring. We have developed a Google Forms app. This app was approved and is available on the Marketplace. This app has some scopes in order to run in the Google Form:

https://www.googleapis.com/auth/forms https://www.googleapis.com/auth/forms.currentonly https://www.googleapis.com/auth/script.container.ui https://www.googleapis.com/auth/script.external_request https://www.googleapis.com/auth/script.scriptapp https://www.googleapis.com/auth/spreadsheets

Then, after the user accepts those scopes, they can use OAuth to our external app and approve the scope:

https://www.googleapis.com/auth/spreadsheets

This allows our external app to access their spreadsheet to get some values.

The first request we get from a customer, we store an encrypted refresh_token. Then we use the provided access_token to access the spreadsheet. When the access_token expires, we generate a new one using the stored refresh_token.

And this is where the problems start. We are having issues because we have some users that can't refresh their access tokens. When we post the refresh token with the grant_type as 'refresh_token', client_id and client_secret to https://oauth2.googleapis.com/token, we get the error message {"error": "invalid_grant","error_description": "Bad Request"}

The customers are not revoking the app's access. We know that for sure. We have made some tests and the process works for about 40 mins to 1 hour. Then the refresh_token is being somehow revoked and don't work anymore. If the customer manually revokes the app's access and restarts the oauth process, it works for another 40/60 mins and then fails again.

1. Are you revoking the access token? (it also revokes the refresh token associated with it) https://developers.google.com/identity/protocols/oauth2/web-server#tokenrevoke
2. Verify that none of these cases apply: https://developers.google.com/identity/protocols/oauth2#expiration
3. Is your OAuth client in production and verified?

1. No. The tokens are not being revoked (neither access token nor refresh token). Neither manually nor programmatically.

2. 2.1. The user has not revoked the app's access.
   2.2. The refresh token was created an hour before.
   2.3. The user did not change passwords and there are no Gmail scopes.
   2.4. Where can I confirm that the user account has not exceeded the maximum number of granted refresh tokens?
   2.5. No Restricted scopes are being used.
   2.6. Where can I check the session length set by the admin in the Google Cloud Platform APIs?

3. Yes. (Check images)

Any update? about my last message?

Please file a ticket with Google Cloud support from the project containing the OAuth client as they will have the ability to investigate further.

https://console.cloud.google.com/support

Closing here as it is not specific to Apps Script.