oauth-2.0 - 400 代码 "invalid_grant"撤销了 YouTube API 刷新 token (似乎没有任何原因)

Question

这是我在 stackoverflow 上的第一篇文章。开始了。

我构建了一个服务器端 PHP 应用程序，该应用程序涉及读取/更改一个用户的 YouTube 帐户(更改字幕文件)。用户已通过 OAuth 2 进行身份验证。我一直在存储 refresh_token 并在 access_token 过期时成功发出刷新请求。

但是现在，我似乎遇到了一个错误，它巧合地与两件事相关:

• 用户上传新视频
• 周日晚上

我不知道这是否意味着什么。

错误发生在尝试刷新访问 token 时，我使用与之前相同的方式来刷新 token 。以下是详细信息:

错误信息:

[status code] 400
[reason phrase] Bad Request
[url] https://accounts.google.com/o/oauth2/token
[request] POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
User-Agent: Guzzle/2.8.6 curl/7.24.0 PHP/5.3.10
Content-Type: application/x-www-form-urlencoded

client_id=442147492209.apps.googleusercontent.com&client_secret=D7eLQ5b0Mo1Y8uZ30ReWYwls&grant_type=refresh_token&refresh_token=1%2FCLvAt8V_d9sZznpg5YZdJlOJ58ufbHKL4F5Lw8PiJOg
[response] HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Tue, 02 Oct 2012 16:28:24 GMT
Content-Type: application/json
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Transfer-Encoding: chunked

{
  "error" : "invalid_grant"
}

如果您想查看源代码，它在 github 上。这是发生刷新的相关行号:https://github.com/wellcaffeinated/yt-subtitle-explorer/blob/master/app/YTSE/OAuth/LoginManager.php#L330

(你会注意到我已经添加了一个检查这个错误并要求管理员重新授权应用程序......但这远非理想)

我研究过的其他帖子告诉人们使用 approval_prompt=force... 所以我正在这样做。

编辑:我最新的怀疑是，由于每次管理员登录时我都在请求离线访问 (approval_prompt=force)，所以我一直在生成新的 refresh_tokens(除非没有其他可用，否则我不会记录)。谷歌的 OAuth 是否有每个应用程序的最大“事件”refresh_tokens 数量？或者类似的东西？

谢谢!

Answer 1

请查看google developers pages :

If you receive an invalid_grant error response when attempting to use a refresh token, the cause of the error may be due to the following reasons:

1. Your server's clock is not in sync with NTP.

2. The refresh token limit has been exceeded. Applications can request multiple refresh tokens to access a single Google Analytics account. For example, this is useful in situations where a user wants to install an application on multiple machines and access the same Google Analytics account. In this case, two refresh tokens are required, one for each installation. When the number of refresh tokens exceeds the limit, older tokens become invalid. If the application attempts to use an invalidated refresh token, an invalid_grant error response is returned. The limit for each unique pair of OAuth 2.0 client and Google Analytics account is 25 refresh tokens (note that this limit is subject to change). If the application continues to request refresh tokens for the same Client/Account pair, once the 26th token is issued, the 1st refresh token that was previously issued will become invalid. The 27th requested refresh token would invalidate the 2nd previously issued token and so on.