YouTube API 刷新令牌被 400 代码“invalid_grant"撤销(似乎没有理由) [英] YouTube API refresh token revoked with 400 code "invalid_grant" (for seemingly no reason)
问题描述
这是我在 stackoverflow 上的第一篇文章.来了.
This is my first post on stackoverflow. Here it goes.
我构建了一个服务器端 PHP 应用程序,该应用程序涉及读取/更改一个用户的 YouTube 帐户(更改字幕文件).用户已使用 OAuth 2 进行身份验证.我一直在存储 refresh_token 并在 access_token 过期时成功发出刷新请求.
I've built a server-side PHP application that involves reading/making changes to one users's YouTube account (changes to caption files). The user is authenticated with OAuth 2. I have been storing the refresh_token and making refresh requests successfully when the access_token expires.
但现在,我似乎遇到了一个错误,这与两件事巧合地相关:
But now, I seem to be getting an error, which coincidentally correlates with two things:
- 用户上传的新视频
- 周日晚上
我不知道这是否意味着什么.
I don't know if that means anything.
尝试刷新访问令牌时发生错误,我使用与以前相同的刷新令牌的方式.详情如下:
The error happens when trying to refresh the access token and I'm using the same way of refreshing the token as I have previously. Here are the details:
错误信息:
[status code] 400
[reason phrase] Bad Request
[url] https://accounts.google.com/o/oauth2/token
[request] POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
User-Agent: Guzzle/2.8.6 curl/7.24.0 PHP/5.3.10
Content-Type: application/x-www-form-urlencoded
client_id=442147492209.apps.googleusercontent.com&client_secret=D7eLQ5b0Mo1Y8uZ30ReWYwls&grant_type=refresh_token&refresh_token=1%2FCLvAt8V_d9sZznpg5YZdJlOJ58ufbHKL4F5Lw8PiJOg
[response] HTTP/1.1 400 Bad Request
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Tue, 02 Oct 2012 16:28:24 GMT
Content-Type: application/json
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Transfer-Encoding: chunked
{
"error" : "invalid_grant"
}
如果你想查看源代码,它在 github 上.这是发生刷新的相关行号:https://github.com/wellcaffeinated/yt-subtitle-explorer/blob/master/app/YTSE/OAuth/LoginManager.php#L330
If you feel like looking at the source code, it's on github. Here's the relevant line number where refresh takes place: https://github.com/wellcaffeinated/yt-subtitle-explorer/blob/master/app/YTSE/OAuth/LoginManager.php#L330
(您会注意到我已添加了针对此错误的检查并要求管理员重新授权应用程序...但这远非理想)
(You'll notice that I've added a check for this error and ask the administrator to reauthorize the application... but this is far from ideal)
我调查过的其他帖子告诉人们使用approval_prompt=force...所以我正在这样做.
Other posts I've looked into were telling people to use approval_prompt=force... so I am doing that.
我最新的怀疑是,由于每次管理员登录时我都请求离线访问 (approval_prompt=force),我不断生成新的 refresh_tokens(除非没有其他可用的,否则我不会记录).谷歌的 OAuth 是否有每个应用程序的最大活动"刷新令牌数?或者类似的东西?
My newest suspicion is that since I am requesting offline access (approval_prompt=force) every time the administrator logs in, I keep generating new refresh_tokens (which I don't record unless no others are available). Does google's OAuth have a maximum number of "active" refresh_tokens per application? Or something like that?
谢谢!
推荐答案
请从 谷歌开发者页面:
如果您在尝试使用时收到 invalid_grant 错误响应一个刷新令牌,错误的原因可能是以下原因原因:
If you receive an invalid_grant error response when attempting to use a refresh token, the cause of the error may be due to the following reasons:
您服务器的时钟与 NTP 不同步.
Your server's clock is not in sync with NTP.
刷新令牌限制已经超过.应用程序可以请求多个刷新令牌访问单个 Google Analytics(分析)帐户.例如,这很有用在用户想要在多个应用程序上安装应用程序的情况下机器并访问相同的 Google Analytics 帐户.在这种情况下,需要两个刷新令牌,每个安装一个.当...的时候刷新令牌数量超过限制,旧令牌变为无效的.如果应用程序尝试使用无效刷新令牌,返回 invalid_grant 错误响应.每个的限额OAuth 2.0 客户端和 Google Analytics 帐户的唯一配对是 25刷新令牌(请注意,此限制可能会发生变化).如果应用程序继续请求相同的刷新令牌Client/Account对,第26个token发出后,第一次刷新之前发行的令牌将失效.27日请求的刷新令牌将使先前发布的第二个令牌无效令牌等.
The refresh token limit has been exceeded. Applications can request multiple refresh tokens to access a single Google Analytics account. For example, this is useful in situations where a user wants to install an application on multiple machines and access the same Google Analytics account. In this case, two refresh tokens are required, one for each installation. When the number of refresh tokens exceeds the limit, older tokens become invalid. If the application attempts to use an invalidated refresh token, an invalid_grant error response is returned. The limit for each unique pair of OAuth 2.0 client and Google Analytics account is 25 refresh tokens (note that this limit is subject to change). If the application continues to request refresh tokens for the same Client/Account pair, once the 26th token is issued, the 1st refresh token that was previously issued will become invalid. The 27th requested refresh token would invalidate the 2nd previously issued token and so on.
这篇关于YouTube API 刷新令牌被 400 代码“invalid_grant"撤销(似乎没有理由)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
