Write For Us
php
google-api
google-api-php-client

Token must be a short-lived token and in a reasonable timeframe

Viewed   85 times

I am having the same error as this. In my case it is happening when the app is trying to upload a file via Google Cloud Client API.

POST https://www.googleapis.com/oauth2/v4/token
400 Bad Request
Invalid JWT: Token must be a short-lived token and in a reasonable timeframe

How I load the token is reading a service-account json file, and attach it to CURLOPT_HTTPHEADER in PHP. It did work properly for the past one month, so I am guessing that Google changed the way of authorization.

Has anyone faced & solved this?

 Answers

3

I stumbled upon the same issue at roughly the same time, so I expected a generic bug of Google but here is what had happened on my computer :

raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
oauth2client.client.HttpAccessTokenRefreshError: invalid_grant: Invalid JWT: Token must be a short-lived token and in a reasonable timeframe

was caused in my case by a poor synchronisation of the computer's clock where the code was executed that had a lag of 5 minutes (due to a faulty battery for the internal clock). It started working again when I manually changed the internal time of my computer to the correct one.

This solution was mentionned here, but not with the full error message

Wednesday, September 21, 2022
 
hajikanadi123-2e04894cf024
 
hajikanadi123-2e04894cf024
2

You will need to use both the Developer Key (API Key) and OAuth2. The developer key authenticates who wrote the software and is used for things like quota which is on a per developer basis not a per user basis. OAuth2 is for user authentication and will be need to access the non-public calendar.

OAuth2 has a renew token from which you can generate a session token and this means that you will not need to screen scrape the OAuth screens to get authenticated. To get this I would write a little command line application, or you use a one off PHP page.

  1. Under the Google Api Console go to API Access
  2. Generate a new Client ID and choose Installed Application ( as you will be authenticating you server as you not as your user)
  3. Either using a console app or a one off PHP page authenticate using OAuth and your google account (the one with the calendar you want access to)
  4. In the return from the authentication there should be a renew token, (called renew or refresh or something similar). Save this string and make it available to your PHP site.
  5. When you need to access the service your OAuth library should have a renew/refresh call. There is an example using .Net below.
private IAuthorizationState CreateAuthorization(NativeApplicationClient arg)
 {
   // Get the auth URL:
   IAuthorizationState state = new AuthorizationState(new[] { AdsenseService.Scopes.AdsenseReadonly.GetStringValue() });
   state.Callback = new Uri(NativeApplicationClient.OutOfBandCallbackUrl);
   if (refreshToken.IsNotNullOrEmpty()) // refreshToken you stored in step 4
   {
     try
     {
       state.RefreshToken = refreshToken;
       if (arg.RefreshToken(state))     // This is calling out to the OAuth servers with the refresh token getting back a session token, returns true if successful.
       {
         if (state.RefreshToken != refreshToken) // if the refresh token has changed, save it.
         {
           PersistRefreshToken(authorization.RefreshToken);
         }
         return this.authorization = state; // Retain the authorization state, this is what will authenticate your calls.
       }
     }
     catch (ProtocolException ex) {...}

The AuthorisationState that has now been renewed can then be used to authenticate call you make to the API. this state can be used many time until it expires and then can be refreshed. As you are authenticating your application as yourself not as a user this AuthorisationState can be shared by all you sessions. Both the current AuthorisationState and the refresh token should be kept securely on your server and never sent to the client, if you ever sent these as part of a response your clients would have the same privileges as your code application

Monday, November 14, 2022
 
olivia.enans-8c98c1e184d7
 
olivia.enans-8c98c1e184d7
5

It seems the mistake is because you send a DELETE http verb instead of a POST. Also, the XML namespace attributes in the entry are not required.

By the way, maybe this is a typo, you wrote 'content-lenght' instead of content-length.

Don't send any content in the entry for deletions, as it's not required (and not documented).

$xmlBuild = "<feed xmlns='http://www.w3.org/2005/Atom'
    xmlns:batch='http://schemas.google.com/gdata/batch'
    xmlns:gd='http://schemas.google.com/g/2005'
    xmlns:gContact='http://schemas.google.com/contact/2008'>";
$xmlBuild .= "<entry>";
$xmlBuild .= "<batch:id>1</batch:id><batch:operation type='delete'/>";
$xmlBuild .= "<id>http://www.google.com/m8/feeds/contacts/my.domain/base/1b93ef80b806243</id>";
$xmlBuild .= "</entry>";
$xmlBuild .= "</feed>";

$len = strlen($xmlBuild);
$options = array(
    "headers" => array(
        "Content-type" => "application/atom+xml; charset=UTF-8;",
        "Content-length" => $len
    ),
    "body" => $xmlBuild
);

$httpClient = $client->authorize();
$request = $httpClient->post("https://www.google.com/m8/feeds/contacts/my.domain/full/batch", $options); 
// or $request = $httpClient->sendRequest('POST', "https://www.google.com/m8/feeds/contacts/my.domain/full/batch", $options); 

$response = $request->getBody()->getContents();

print_r($response);
Saturday, October 8, 2022
 
sarasgupta
 
sarasgupta
5

@Julian. Thank you so much for the inspiration here. I was able to make this work without changing any of the core FB api files.

What happens is, the setExtendedAccessToken call sends the value to setPersistentData which then sends it into session via constructSessionVariableName.

So if we get it out of session, and then set it into the facebook object, we're all set.

Here is my code:

// ask for the extended token and get it from session ...
$facebook->setExtendedAccessToken();
$access_token = $_SESSION["fb_".FB_APP_ID."_access_token"];
// now set it into the facebook object ....
$facebook->setAccessToken($access_token);
// now our fb object will use the new token as usual ...
$accessToken = $facebook->getAccessToken();
Monday, December 19, 2022
 
user3513971
 
user3513971
1

Invalid grant

When you try to use a refresh token, the following returns you an invalid_grant error:

  • Your server's clock is not in sync with network time protocol - NTP.
  • The refresh token limit has been exceeded.

First, kindly check the synchronization problem with the server clock, see the poor synchronization of the computer's clock answer for additional information. Second, check handling of refresh token and the old tokens. Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see Google's OAuth 2.0 documentation.

Hope this helps!

Sunday, September 4, 2022
 
sumitkm
 
sumitkm
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
php
google-api
google-api-php-client
 
Share
Related Answers
130
 “The redirect_uri URL must be absolute” error on Facebook PHP SDK
70
 Why must a short be converted to an int before arithmetic operations in C and C++?
180
 facebook Uncaught OAuthException: An active access token must be used to query information about the current user
68
 how to implement a short url like urls in twitter?
60
 Getting long-lived access token with setExtendedAccessToken() returns short lived token
448
 The type 'T' must be a non-nullable value type in order to use it as parameter 'T' in the generic type or method...
69
 iOS Facebook SDK: An active access token must be used to query information about the current user
90
 How to add a running count to rows in a 'streak' of consecutive days
193
 Error:“invalid_grant”, Description:“Invalid JWT: Token must be a short-lived token and in a reasonable timeframe”,...
66
 An active access token must be used to query information about the current user
Top Answers Related To

php,google-api,google-api-php-client

99
 Google Calendar API v3 - authenticate with hardcoded credentials
61
 GAPI: Failed to authenticate user. Permanent fix PHP
124
 How to get email address when user is authenticated with Google Oauth2 and people.me
143
 Create a filter using Gmail API
63
 How to troubleshoot/get error response when you run invalid BigQuery jobs?
95
 Batch Delete Domain Shared Contacts With PHP
311
 HTTP 500 (Internal Server Error) when using google api php client on a remote server
154
 How to set timeout for google api php client library
71
 Create folder in root directiry of and upload file to that folder google drive api
96
 How to set curl timeout in Google API PHP client version 2.2.2
Write For Us · Blog · Privacy · Faqs · Terms of Use · Contact us ·