Invalid token with `invalid_grant` after a week

[jamm3e3333]

Environment details

• Node.js version: v12.22.8
• npm version: 6.14.15
• googleapis version: 72.0.0
• googl-auth-library version: 7.0.4
• environment variabels: clientId, clientSecret, redirectUri

Issues

• google cloud functions are implemented and are using gmail service from googleapis and oAuth2Client from google-auth-library packages
• tokens are created when login into a gmail service account and stored in a db from which are read when tokens are needed
• tokens are refreshed every hour by setting a cron job on a cloud function that refreshes tokens
• after a week tokens get invalid even after refreshing them every hour

Cloud functions used in application

cloud functions are deployed on gcp
functions 1) and 2) are triggered only once
on function 3) is set the cron job every hour
on function 4) is set the cron job every day

Functions used:

1) Login

1. instantiate oAuth2Client

new googleAuth.OAuth2Client({ clientId, clientSecret, redirectUri })

2. redirect to url to login into gmail service account

oAuth2Client.generateAuthUrl({
    access_type: 'offline‘,
    scope: ['profile‘, 'email‘, ‚https://www.googleapis.com/auth/gmail.modify']
})

3. when the gmail is authorised, it’s redirected to the cloud function Handle oAuth2 Callback address with the query parameter code with which new tokens are received

2) Handle oAuth2 Callback

1. instantiate oAuth2Client

new googleAuth.OAuth2Client({ clientId, clientSecret, redirectUri})

2. call a method getToken on an instance of oAuth2Client and pass a parameter as a query parameter from request obtained from a login function
3. the method returns a new token object ({access_token, expiry_date, id_token, refresh_token, token_type, scope}) which is stored in a database
4. call method setCredentials on an instance oAuth2Client and pass created tokens as an argument
5. call google.options({ auth: oAuth2Client }) so the gmail service can be used with the service account
6. call watch method

gooogle.gmail( 'v1‘).users.watch({
    userId: email,
    requestBody: {
        labelIds: ['INBOX`], 
        topicName: PUBSUB_TOPIC,
        }
    })

variable email is passed from a method google.oauth2('v2‘)userinfo.get() and PUBSUB_TOPIC is set in a google console for the service account

3) Sync mails

1. instantiate oAuth2Client

new googleAuth.OAuth2Client({ clientId, clientSecret, redirectUri})

2. read stored tokens object from db
3. call method setCredentials on an instance OAuth2Client and pass tokens as an argument
4. call method getAccesToken on oAuth2Client instance to refresh tokens validity
5. call google.options({auth: oAuth2Client})
6. process messages from gmail service account

4) Refresh Watch

1. instantiate oAuth2Client

new googleAuth.OAuth2Client({ clientId, clientSecret, redirectUri})

2. read stored tokens object from db
3. call method setCredentials on an instance OAuth2Client and pass tokens as an argument
4. call method getAccesToken on oAuth2Client instance
5. call google.options({auth: oAuth2Client})
6. call watch method

gooogle.gmail('v1‘).users.watch({
    userId: email, 
    requestBody: {
        abelIds: ['INBOX`], 
        topicName: PUBSUB_TOPIC,
        }
    })

email is passed as a me string and PUBSUB_TOPIC is set in a google console for the service account

Steps done to try to fix the issue with invalid tokens

• every time after creating a new intsance of oAuth2Client, call on method and listen on an event tokens to update tokens in db, but this didn't help

on.('tokens', (tokens) => {
    ...
})

• when tokens are created check the validity of tokens on website (https://www.googleapis.com/oauth2/v1/tokeninfo?access_token), (https://www.googleapis.com/oauth2/v3/tokeninfo?id_token), to check the validity -> tokens were valid
• obviously after a week checking the validity of tookens were error invalid_grant occured -> tokens were invalid

Error that is showing up:

error: {
code: "400"
message: "invalid_grant"
stack: "Error: invalid_grant
    at Gaxios._request (/workspace/node_modules/gaxios/build/src/gaxios.js:129:23)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async OAuth2Client.refreshTokenNoCache (/workspace/node_modules/google-auth-library/build/src/auth/oauth2client.js:174:21)
    at async OAuth2Client.refreshAccessTokenAsync (/workspace/node_modules/google-auth-library/build/src/auth/oauth2client.js:198:19)
    at async OAuth2Client.getAccessTokenAsync (/workspace/node_modules/google-auth-library/build/src/auth/oauth2client.js:227:23)"
}

[LindaLawton]

Apps that are in test have their refresh tokens expired after seven days.

To fix it up your application into production.

Refresh token

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

[jmsmistral]

I must say that this is very annoying.
I have a very simple node app that I run locally to download some data from a Google Sheet I update with cost transactions. It just saves me having to copy and paste the data to an Excel. It worked when I first set it up, but it doesn't any more because of this issue.

Now to lift this 7-day limit, I have to:

• publish the app to production
• go through an entire verification process that could take 3-6 weeks
• provide links to a web page with privacy related verbiage of how I am using the data
• create a Youtube video explaining about the scope usage

It's only me using this app :(

[frontBOI]

I must say this is very annoying procedure. Could you please increase this limit to six month ?