RefreshToken will delete token if exception is encountered in AuthorizationCodeFlow.

[wbrussell]

If an exception is caught during "RefreshTokenAsync", the token file is deleted! This will force unneeded re-authorization on the client. In my case, the client is actually a long-running windows service so this disrupts this process and requires a human re-connect it.

Is there a reason that this is done?

https://github.com/google/google-api-dotnet-client/blob/a5288c4493a12791b46f7142efacb83c4fcacf58/Src/Support/GoogleApis.Auth/OAuth2/Flows/AuthorizationCodeFlow.cs

` ///

Retrieve a new token from the server using the specified request.

/// User identifier.
/// Token request.
/// Cancellation token to cancel operation.
/// Token response with the new access token.
[VisibleForTestOnly]
public async Task FetchTokenAsync(string userId, TokenRequest request,
CancellationToken taskCancellationToken)
{
// Add client id and client secret to requests.
request.ClientId = ClientSecrets.ClientId;
request.ClientSecret = ClientSecrets.ClientSecret;

        TokenResponseException tokenException = null;
        try
        {
            var tokenResponse = await request.ExecuteAsync
                (httpClient, TokenServerUrl, taskCancellationToken, Clock).ConfigureAwait(false);
            return tokenResponse;
        }
        catch (TokenResponseException ex)
        {
            // In case there is an exception during getting the token, we delete any user's token information from 
            // the data store.
            tokenException = ex;
        }
        await DeleteTokenAsync(userId, taskCancellationToken).ConfigureAwait(false);
        throw tokenException;
    }`

[LindaLawton]

Any idea what exception exactly is being thrown? My guess would be the code is assuming it's an invalid token response which means the refresh token is invalid. I guess there could be other exceptions. Would be easier for use to test if you can give use an idea which exception it could be.

[wbrussell]

Looks like the message was "internal_failure" during Google.Apis.Auth.OAuth2.UserCredential.RefreshTokenAsync. Here's the stack trace.

2016-12-07 17:00:15.9009 | Error | GoogleCalendar:GetEventsByRooms Failed retrieve schedules for room calendar DI - Classroom 1 (Nursery) [holycrosscalendar.net_2d36343537313136372d393638@resource.calendar.google.com]. One or more errors occurred. *** Exception Details:System.AggregateException: One or more errors occurred. ---> Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"internal_failure", Description:"", Uri:""
at Microsoft.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at Microsoft.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccess(Task task)
at Google.Apis.Auth.OAuth2.UserCredential.d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Streamside.Events2HVAC.EventProvider.GoogleCalendar.CalendarApi.d__32.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Streamside.Events2HVAC.EventProvider.GoogleCalendar.CalendarApi.d__43.MoveNext()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task1.GetResultCore(Boolean waitCompletionNotification) at System.Threading.Tasks.Task1.get_Result()
at Streamside.Events2HVAC.EventProvider.GoogleCalendar.GoogleCalendarProvider.GetEventsByRooms(DateTime startTime, DateTime endTime, IList`1 roomIDList)
---> (Inner Exception #0) Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"internal_failure", Description:"", Uri:""
at Microsoft.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at Microsoft.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccess(Task task)
at Google.Apis.Auth.OAuth2.UserCredential.d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Streamside.Events2HVAC.EventProvider.GoogleCalendar.CalendarApi.d__32.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Streamside.Events2HVAC.EventProvider.GoogleCalendar.CalendarApi.d__43.MoveNext()<---
ThreadID:10

[LindaLawton]

Background:

Ok so internal_failure is an authentication server outage. which can be tracked kind of on

https://status.cloud.google.com/ Google Cloud Storage
or apparently also https://www.google.com/appsstatus#hl=en&v=status although I am not seeing it there it may only be gsuite issues are there.

Now that being said. I agree we should not be deleting the token file when a internal_failure error is returned by the Auth servers. I think the only times we should be deleting the token file is if if the error returned by the authentication server is invalid_grant which normally means that the refresh token has expired. There is only one other instance I can think of were i think the file should be deleted. If client id does not match the refresh token the server will also respond with an error. I just need to dig that one up it may also be invalid_grant or invalid_client but i cant remember.

The offending code:

TokenResponse.cs

if (!response.IsSuccessStatusCode)
                {
                    typeName = nameof(TokenErrorResponse);
                    var error = NewtonsoftJsonSerializer.Instance.Deserialize<TokenErrorResponse>(content);
                    throw new TokenResponseException(error);
                }

AuthorizationCodeFlow.cs

catch (TokenResponseException ex)
            {
                // In case there is an exception during getting the token, we delete any user's token information from 
                // the data store.
                tokenException = ex;
            }
            await DeleteTokenAsync(userId, taskCancellationToken).ConfigureAwait(false);
            throw tokenException;

Any exception thrown by the token request will force the library to delete the file.

Errors that I have found:

I haven't been able to find a full error response list from the OAuth Servers. There are loads for the APIs but nothing "official" for the OAuth server response. So i spammed the server a little.

• Refresh token expired - { "error" : "invalid_grant" }
• Client Id doesn't match refresh token - { "error" : "unauthorized_client" }
• Client Id is bad or secret doesn't match - { "error" :"invalid_client" }
• Server down - { "error" : internal_failure" }

No I didn't test internal_failure this one just going to have to assume this is the response by what we have seen above.

Really I think its only the first three we should be deleting the file on if we should be deleting it at all. Shouldn't it just be over written when the user is requested for access again? Do we really need to be deleting it? Is it the responsibility of the library to delete old token files?

[chrisdunelm]

It's correct that the refreshtoken is deleted on suspicious client-side behaviour.
However, I agree that a server internal failure should not be treated the same.
The code in TokenRequestExtenstions.cs needs to pass the HTTP response status code to TokenResponseException. The refreshtoken won't be deleted if the status code is in the 500s, indicating a server error, rather than a client error.