Google Calendar API 401 "Invalid Credentials"

0
votes

Some (but not all) Google accounts consistently respond with a 401 when trying to access the Google Calendar API despite tokeninfo telling me the access token I'm using has the proper scope (see curl output below). I can successfully obtain a new access token using a refresh token, but the calendar api continues to 401.

Does anyone have an idea why this might be happening?

$ curl -v https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=[redacted]
*   Trying 216.58.195.74...
* Connected to www.googleapis.com (216.58.195.74) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.googleapis.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /oauth2/v3/tokeninfo?access_token=[redacted] HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: Mon, 01 Jan 1990 00:00:00 GMT
< Date: Tue, 18 Oct 2016 22:00:45 GMT
< Vary: X-Origin
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
<
{
 "azp": "[redacted].apps.googleusercontent.com",
 "aud": "[redacted].apps.googleusercontent.com",
 "sub": "[redacted]",
 "scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/calendar",
 "exp": "1476831626",
 "expires_in": "3581",
 "email": "[redacted]",
 "email_verified": "true",
 "access_type": "offline"
}
* Connection #0 to host www.googleapis.com left intact


$ curl -v https://www.googleapis.com/calendar/v3/users/me/calendarList?access_token=[redacted]
*   Trying 216.58.195.74...
* Connected to www.googleapis.com (216.58.195.74) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.googleapis.com
* Server certificate: Google Internet Authority G2
* Server certificate: GeoTrust Global CA
> GET /calendar/v3/users/me/calendarList?access_token=[redacted] HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.49.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Vary: X-Origin
< WWW-Authenticate: Bearer realm="https://accounts.google.com/", error=invalid_token
< Content-Type: application/json; charset=UTF-8
< Date: Tue, 18 Oct 2016 22:01:14 GMT
< Expires: Tue, 18 Oct 2016 22:01:14 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
<
{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "authError",
    "message": "Invalid Credentials",
    "locationType": "header",
    "location": "Authorization"
   }
  ],
  "code": 401,
  "message": "Invalid Credentials"
 }
}
* Connection #0 to host www.googleapis.com left intact
2
google-calendar-apigoogle-oauth
do any of the other calls work?DaImTo
Is it possible your refresh token is expired?luc
@luc if the refresh token was expired, I would be able to use it to get a new access token, and the access token I already have wouldn't work for the tokeninfo endpoint.David Gouldin
@DaImTo none of the google calendar api calls work. They all 401 with the same response body.David Gouldin
The user could have revoked the refresh token altogether and then you need to reauthenticate.luc

2 Answers

1
votes

I was able to reproduce the situation by creating a google apps user whose sub-organization has Google Calendar turned off. Google will still allow the user to grant calendar access and will indicate the scope has been granted but will 401 in the way described when you try to call any Google Calendar API endpoints with their access token.

Google, please make your error message clearer or prevent the initial scope grant when requesting access to an app that has been turned off by an administrator!

0
votes

This was happening for my client, even with Google Calendar enabled.

Turns out they'd let the free 14 day trial expire, and hadn't entered a credit card for payment. Error disappeared once they'd sorted that.