OAuth2.0 token strange behaviour (Invalid Credentials 401)

Question

Usually, Google OAuth2.0 mechanism is working great.

1. The user confirms permission to access Google account with selected scopes.
2. The refresh token is

Answer 1

I recently experienced this weird error. My fix: I put the function that unsets all of the sessions before redirecting to AuthUrl.

Answer 2

Maybe this is helpful to someone:

I had a similar issue using the JavaScript Google-API client for Calendar API. At random times it would work but mostly I got the same error. Adding scopes, testing key, nothing helped. After a few hours I found this solution, no idea why it works but it solved the issue for me:

gapi.client.init({
    'apiKey': API_KEY,  <-- DOESN'T WORK
    'clientId': CLIENT_ID,
    'discoveryDocs': DISCOVERY_URLS,
    'scope': SCOPE
}).then(function() {
    // gapi.client.setApiKey(API_KEY); <-- ADD THIS
})

Answer 3

I ran into this same problem when I needed to change my scopes from Read Only to Read And Write All Files. So, I updated my scopes from at the top of my file from Read Only to:

// If modifying these scopes, delete your previously saved credentials
// at ~/.credentials/sheets.googleapis.com-nodejs-quickstart.json
var SCOPES = ['https://www.googleapis.com/auth/drive'];

Google, from their API guide, has these comments that say whenever you change scopes, you must update credentials. I believe this means, although I am not certain, that the token must be updated. The old token is still held by Google and it thought that I only had Read Only access, hence why it would return a 401 error. So, I need to remake my token, but Google never offered a new consent screen that would allow me to say allow Read And Write To All Files. So, I needed to get that screen to come up again, so it would create a new token to replace the old one:

fs.readFile(TOKEN_PATH, function(err, token) {
    if (err) {
      getNewToken(oauth2Client, callback);
    } else {
        getNewToken(oauth2Client, callback);
    //   oauth2Client.credentials = JSON.parse(token);
    //   callback(oauth2Client);
    }
  });

Since I already had a saved token, it was never creating a new one. So, I just commented out the using of the old token and told it to get a new token, no matter if we have one or not. Then, I went to my Connected Apps in Google and deleted my old connecting credential. I'm not sure if this step is necessary, but I am only trying to access my personal account. Then, when I ran my program, it prompted me to re-authenticate, and everything worked and I did not receive an authentication error. Once done, make sure to remove the commented out lines for using already made tokens. I was using the Google API quickstart.js file for all of this.

So, when I updated my scopes, the old token was still using the Read Only scope, therefore I would get (401) Invalid Credentials.

Answer 4

I received (401) Invalid Credentials when I removed the access to my Google Account for the particular app. So what I had to do was to request the authorization URL (the one which starts with https://accounts.google.com/o/oauth2/auth), again.

Answer 5

I had this problem when I tried experimenting with changing the redirect url in google console and then updating my json credentials file on server. I had to clear the session variables before starting afresh. So in your project just do this once:

session_start(); //starts a session
session_unset(); //flushes out all the contents previously set

Remember to remove the session_unset() after dry running it once.

Answer 6

If you're using an account that's part of a GSuite set up, you might need to add GSuite Basic to the account. You get to this by Users > Click on user > Licenses.