OAuth2.0 token strange behaviour (Invalid Credentials 401)

Question

Usually, Google OAuth2.0 mechanism is working great.

1. The user confirms permission to access Google account with selected scopes.
2. The refresh token is

Answer 1

Maybe this behavior is due to a limitation which Google describes as follows:

There is currently a limit of 50 refresh tokens per user account per client. If the limit is reached, creating a new token automatically invalidates the oldest token without warning. This limit does not apply to service accounts.

There is also a larger limit on the total number of tokens a user account or service account can have across all clients. Most normal users won't exceed this limit but a developer's test account might.

Answer 2

Per the Google API docs on errors & error codes:

https://developers.google.com/drive/handle-errors#401_invalid_credentials

401: Invalid Credentials

Invalid authorization header. The access token you're using is either expired or invalid.

error: {
  errors: [
   {
  "domain": "global",
  "reason": "authError",
  "message": "Invalid Credentials",
  "locationType": "header",
  "location": "Authorization",
  }
  ],
  "code": 401,
  "message": "Invalid Credentials"
  }
}

This matches your version of the error exactly, and so is very probably what Google thinks is wrong with your request.

But, as you well know, Google API requests can return errors that are distinctly unhelpful to actually diagnosing the problem. I have gotten "Invalid Credentials" errors for a number of reasons. It is almost always really because I have made some sort of change that I thought would not matter, but really does.

My first thought (shot in the dark here) would be to go to the Google API console:

https://code.google.com/apis/console

Googles auth token verifier ( https://www.googleapis.com/oauth2/v1/tokeninfo ) can return a valid response, but maybe the client secret or client id will have been changed.

Even tiny changes in the response body can also cause this error.

I don't know how you are making requests, whether by REST calls or a client lib, but I use the ruby lib which allows a command line interface to making API calls. I have found this & the OAuth2 Playground very helpful in diagnosing Google API calls.

Just an FYI: I have only gotten 2 errors from the Google API: "Invalid Credentials" and "Insufficient Permissions". The latter has almost always had to do with bad scopes. The former is just about everything else.

I would also say that if you have only experienced 2 errors in 6 months, you are lucky!

Answer 3

clearing storage in Google Chrome worked for me (don't know all the details of what 'Clear storage' is clearing):

1. F12 (Ctrl+Shift+I)
2. Application Tab
3. Clear storage

Answer 4

userInfo: Invalid Credentials I got the following error because the scopes array elements i was trying to access ie profile and email whose links I got from google+ api scope page: came to be somehow false/invalid so I went to my consent screen and there under Scopes for Google APIs was mentioned email profile openID on hovering on each I got there respective urls replacing my old ones with these resolved my error

Answer 5

I resolved this problem when I removed files json in c:\Users\[user]\.credentials.

Answer 6

I'm on Development environment. I had this problem too.

First I tried refreshing the credentials. No result. Then I deleted my app (since I'm still on development enviroment, that was ok, but BE CAREFUL WITH THIS ACTION if you're already using this on production), created a new one, updated the credentials JSON on the client... still, no result.

I solved it by opening on a new browser instance which wasn't logged in my Google Account (Private Browsing, since I'm on Firefox), logged on my Google Account once again, and tried using my client (which is a Web Application). I was redirected to the authorization screen as expected and after that, it worked fine for me.