Google API 401 Error "Access Token Expired" (session not refreshing?)

Wappler 4.4.4.
NodeJS
VPS with Plesk panel

Good day, everyone!
While administrating my website, sometimes I need to export data to Google Sheets.

I connected to Google API with a service account according to this instruction and everything seemd working well for a while.
But later I started to notice 401 error ACCESS_TOKEN_EXPIRED when I am trying to make an API request to google.

It disappears after I republish the website or after I open it in the incognito browser mode. Manual deletion of “sitename.sid” cookie helps as well.
But of course this needs a proper solution.

Is this a bug or I made some wrong settings?

Or using JWT and google Oauth2 needs some additional tweaking, beside steps in instruction?
Because I see many thorough instructions by @psweb here and here regarding tokens refresh issue with Google API. Is this still relevant now?

Any help and ideas are much appreciated!

The default behavior is that the access_token and refresh_token are stored in a session. It also stores the expires there. Each time the oauth is used it checks if there is an access_token stored in the session and it checks the expires if it isn’t expired. If it is expired it uses the refresh_token to refresh the token.

If you choose Google as Service in the OAuth2 provider it should have the correct parameters. If you added it as a custom you have to add the param access_type with the value offline, without this param it will not give you a refresh_token.

With service account and the JWT flow the access_token expires after 1 hour.

Patrick, thank you.
But what do you suggest I should do to track the source of this error and fix it?

Here are my settings, nothing special.

image437×580 15.6 KB

I suppose I must try “access_type = offline”, though I have chosen “Google” in the “Service”.
I just don’t have another ideas here.

You could create a server action with a setValue step in it, there use {{$_SESSION}} for the value. Make sure output is checked and then do first make your google call so it creates an access_token and then the server action with the setValue which should return the content of what is in the session. It should contain gsheets_oauth_access_token, gsheets_oauth_refresh_token and gsheets_oauth_expires.

Done.
Seems like I don’t have gsheets_oauth_refresh_token

image815×161 6.9 KB

UPD:
Same with the access_type offline

The refresh token is only sent on the initial authorization so you may have to revoke the authorization at Google and try again.

https://myaccount.google.com/permissions?continue=https%3A%2F%2Fmyaccount.google.com%2Fsecurity%3Fpli%3D1%26nlr%3D1

With service accounts it seems a bit different then the standard oauth2 flow, they don’t seem to give a refresh_token.

Using OAuth 2.0 for Server to Server Applications | Google Identity | Google Developers

When access tokens expire

Access tokens issued by the Google OAuth 2.0 Authorization Server expire after the duration provided by the expires_in value. When an access token expires, then the application should generate another JWT, sign it, and request another access token.

We reuse the JWT each time, that is probably the problem, it should generate a new JWT each time for new authorization.

Here an update that should force the JWT to be generated new each time. When the access_token is expired it will be removed from the session and it will use the JWT again to create a new access_token.

app.zip (4.2 KB) Unzip to lib/core.

Thank you! That’s a huge relief. I will test it and will come back with feedback.

Patrick, seems like fix doesn’t help. Problem still appears.

I think this is a different case, because I am using a service account.

Seems that the check for the expire was also not correct, here an update.

index.zip (1.8 KB) Unzip to lib/oauth.

Yep, I didn’t realize service accounts were handled differently. Patrick has you covered.

It worked! Thank you, Patrick.
Using Google API via service account will help me a lot in my projects.

This has been fixed in Wappler 4.4.5

This topic was automatically closed after 47 hours. New replies are no longer allowed.