Google Analytics API oauth exception “invalid_grant” with Service Account. Same code on two servers. Only one works

Question

I'm querying the Analytics API via a Service Account.

I have written the code on the dev server and it works without issues. When running the same code on the production server, it throws this:

Google_AuthException: Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }'

I've tried creating another Service account, and the behavior is the same.

The oAuth IETF draft (http://tools.ietf.org/html/draft-ietf-oauth-v2-31) says this about the error:

     invalid_grant
           The provided authorization grant (e.g. authorization
           code, resource owner credentials) or refresh token is
           invalid, expired, revoked, does not match the redirection
           URI used in the authorization request, or was issued to
           another client.

Here is the code I've written:

$GA_CLIENT_ID = 'XX.apps.googleusercontent.com';
$GA_APP_EMAIL = 'XX@developer.gserviceaccount.com';
$GA_APP_NAME = 'XX';
$GA_KEY_FILE = 'XX';

// create client object and set app name
$client = new Google_Client();
$client->setApplicationName($GA_APP_NAME); // name of your app

// set assertion credentials
$client->setAssertionCredentials(
        new Google_AssertionCredentials(
            $GA_APP_EMAIL, // email you added to GA
            array('https://www.googleapis.com/auth/analytics.readonly'),
            file_get_contents($GA_KEY_FILE)  // keyfile you downloaded
            ));

// other settings
$client->setClientId($GA_CLIENT_ID);           // from API console
$client->setAccessType('offline_access');  // this may be unnecessary?

// create service and get data
$service = new Google_AnalyticsService($client);
$result = $service->data_ga->get($ids, $startDate, $endDate, $metrics, $optParams);
return $result;

I've also tried a solution suggested here (https://groups.google.com/forum/?fromgroups#!topic/gs-discussion/3y_2XVE2q7U%5B1-25%5D) using authenticatedRequest() instead of Google_AnalyticsService:

$req = new Google_HttpRequest($apiUrl);
$resp = $client::getIo()->authenticatedRequest($req);
$result = json_decode($resp->getResponseBody(), true);

This alternative also works on the dev server, but not on the production one.

I am totally clueless on this one. Has anyone seen this/fixed it?

Thanks!

Answer 1

Apparently the problem was the system time being off. Worked by sync-ing via NTP with:

sudo ntpdate npt.ubuntu.com

sudo ntpdate pool.ntp.org

Edit

As @RafaSashi suggested below, the pool.ntp.org server is more reliable. Use that instead of ntp.ubuntu.com (which was the first working one I tried, thus the initial choice).

Answer 2

The invalid grant can also be caused if you use the wrong "ServiceAccountId". It should be the email associated with the client id in the service account client id in the google apis access page. You'd also have to add this user to the google analytics account that you're planning to access.

This tripped me up because I assumed the email address they were referring to was the email address of my google account, since I used the same google account to get api access as I do for google analytics. I know Vir's already figured his out, just thought I'd add this in case someone else comes across the same question and, like me, their computer seems to be in sync with NTP.

Answer 3

In addition to Valer's answer:

First, you’ll need to install NTP if it isn’t already installed. For Debian or Ubuntu, that would be this command:

sudo apt-get install ntp

For Redhat or CentOS, you’ll need to use this one:

yum install ntp

If the synchronization via npt.ubuntu.com doesn't work try :

sudo ntpdate pool.ntp.org

Resources

• http://www.howtogeek.com/tips/how-to-sync-your-linux-server-time-with-network-time-servers-ntp/

• https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-12-04

Answer 4

There are two major reasons for invalid_grant error which you have to take care prior to the POST request for Refresh Token and Access Token.

1. Request header must contain "content-type: application/x-www-form-urlencoded"
2. Your request payload should be url encoded Form Data, don't send as json object.

RFC 6749 OAuth 2.0 defined invalid_grant as: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

I found another good article, here you will find many other reasons for this error.

https://blog.timekit.io/google-oauth-invalid-grant-nightmare-and-how-to-fix-it-9f4efaf1da35

Google Playground is best tool which help you how to send request. https://developers.google.com/oauthplayground