Detect revoked permission for App in Google API

StackOverflow https://stackoverflow.com/questions/21618275

Question

I am using the PHP Google client library. I successfully get a token and refresh token from user/google to use with the API. As soon as the user revokes the permission for my website in Googles settings on the Google page i get following error:

Error calling GET https://www.googleapis.com/calendar/v3/users/me/calendarList: (401) Invalid Credentials

That is expected behavior since the user revoked my permission. However, how do I detect that a user revoked that access?

Currently i do the following to see if i have access:

//$token json fetched from database
$gclient->setAccessToken($token);
if ($gclient->getAccessToken())
    //i should have access

Well this code unfortunately does not detect the revoked permission. How can i handle that?

Was it helpful?

Solution 2

Google APIs should only return 401 for lack of authorization. Since you had authorization before, receiving a 401 is a reliable indication that the user has revoked access.

Are you looking for a detection mechanism that notifies you of such changes before you make the API call? Today there is not a push notification mechanism from Google that can inform your application of such events. Of course, a pull-based mechanism is not useful -- you can simply make the API call and handle the 401 more efficiently.

OTHER TIPS

Once you have detected that the user has revoked the permission you can ask the user to grant the permission again.

To detect that the grant has been revoked: Provided that you had authorization before,

  • Making an API call using a revoked access_token will result in a response with status code 401. Like this

    {
  "error": {
    "errors": [
      {
        "domain": "global",
        "reason": "authError",
        "message": "Invalid Credentials",
        "locationType": "header",
        "location": "Authorization"
      }
    ],
    "code": 401,
    "message": "Invalid Credentials"
  }
}

  • Attempting to refresh a token after the revocation will result in a response with a 400 status code and an invalid_grant message. Just as specified in the RFC 6749, Section 5.2

invalid_grant The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

Here is an example of such response:

```lang-js
{
   "error" : "invalid_grant"
}
```
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top