I have renew the token every 7 days

[aristosv]

Every 7 days, I start getting the following error in my log files

Traceback (most recent call last):
 File "/usr/bin/gcalcli", line 11, in <module>
   load_entry_point('gcalcli==4.3.0', 'console_scripts', 'gcalcli')()
 File "/usr/lib/python3/dist-packages/gcalcli/cli.py", line 152, in main
   gcal.AgendaQuery(start=parsed_args.start, end=parsed_args.end)
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 1238, in AgendaQuery
   return self._display_queried_events(start, end)
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 1182, in _display_queried_events
   event_list = self._search_for_events(start, end, search)
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 1130, in _search_for_events
   self.get_cal_service()
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 158, in get_cal_service
   http=self._google_auth())
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 139, in _google_auth
   credentials = tools.run_flow(
 File "/usr/lib/python3/dist-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
   return wrapped(*args, **kwargs)
 File "/usr/lib/python3/dist-packages/oauth2client/tools.py", line 240, in run_flow
   code = input('Enter verification code: ').strip()
EOFError: EOF when reading a line
sending next hour reminders
getting next day events
Traceback (most recent call last):
 File "/usr/bin/gcalcli", line 11, in <module>
   load_entry_point('gcalcli==4.3.0', 'console_scripts', 'gcalcli')()
 File "/usr/lib/python3/dist-packages/gcalcli/cli.py", line 152, in main
   gcal.AgendaQuery(start=parsed_args.start, end=parsed_args.end)
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 1238, in AgendaQuery
   return self._display_queried_events(start, end)
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 1182, in _display_queried_events
   event_list = self._search_for_events(start, end, search)
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 1130, in _search_for_events
   self.get_cal_service()
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 158, in get_cal_service
   http=self._google_auth())
 File "/usr/lib/python3/dist-packages/gcalcli/gcal.py", line 139, in _google_auth
   credentials = tools.run_flow(
 File "/usr/lib/python3/dist-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
   return wrapped(*args, **kwargs)
 File "/usr/lib/python3/dist-packages/oauth2client/tools.py", line 240, in run_flow
   code = input('Enter verification code: ').strip()

Basically the error is code = input('Enter verification code: ').strip()

To fix it, I have to create a new OAuth2 token and run this command again
gcalcli --noauth_local_webserver --client-id=$clientid --client-secret=$clientsecret --config-folder $parentdir/clients/$clientdir/auth agenda

And then it lasts for 7 more days, and I have to repeat the process again.

What I'm I doing wrong here?

[aristosv]

This is the actual error

oauth2client.client.HttpAccessTokenRefreshError: invalid_grant: Token has been expired or revoked.

For some reason the token expired

[dequeckerp]

I have the same issue:

In documentation https://developers.google.com/identity/protocols/oauth2#expiration there is written:

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

So the app needs to be published, which required google verification. :-(

I have not found a solution yet.

[shrx]

Duplicate of #611 ?

[ForteDexe]

@aristosv @dequeckerp
You guys can try this work around:

If you are using KDE, add that url to kOrganizer, restart your system.
Then use konsolekalendar in terminal.

[aristosv]

I don't see how that iCal link can be used with gcalcli command line options.

[ajkessel]

Per #611 , if we can figure out how to get gcalcli to pass a redirect_uri parameter to the Python Google OAuth2 module, it should be possible to publish the app without Google review and have longer-lasting tokens. I also filed an Ubuntu bug report at https://bugs.launchpad.net/ubuntu/+source/python-oauth2client/+bug/1983216 since it appears upstream is no longer maintaining the relevant library googleapis/oauth2client#317

[shrx]

Does the replacement library google-auth support the required functionality?

[ajkessel]

I believe so. The deprecated Python module doesn't allow the code to specify redirect_uri. If we want to publish a web app in production rather than testing (thus extending the token expiration period), while foregoing Google verification, we need to be able to set redirect_uri. There's probably some way to hack around this in the existing gcalcli code but it wasn't something I could solve in a few minutes.

[ferdinandyb]

I've published my own google app I was using to connect and I haven't had issues since. It gave an ugly warning about not being verified when logging in, but you can say you don't care :)

[NightMachinery]

I've published my own google app I was using to connect and I haven't had issues since. It gave an ugly warning about not being verified when logging in, but you can say you don't care :)

How did you publish it? Doesn't it need to pass a manual review by Google?

[ferdinandyb]

On Sun Apr 16, 2023 at 14:55, Feraidoon Mehri wrote: > I've published my own google app I was using to connect and I haven't had issues since. It gave an ugly warning about not being verified when logging in, but you can say you don't care :) How did you publish it? Doesn't it need to pass a manual review by Google?

No, it doesn't, unless you want to make that warning go away.

[dbarnett]

Likely fixed now that I merged #683. Please let me know if issues remain. Thanks!

[ZaxonXP]

Was this fix merged to release 4.4.0?

Today I wanted to use gcalcli, but got this error again:

Token has been expired or revoked

I followed the instructions how to create the token from the page here, but I got this error anyway. Is there something I can try to make it work for longer?

[ZaxonXP]

@dbarnett:

Here is the error I got:

Traceback (most recent call last):
  File "/usr/local/bin/gcalcli", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/cli.py", line 169, in main
    gcal.CalQuery(
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 1248, in CalQuery
    event_list = self._search_for_events(start, end, None)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 1096, in _search_for_events
    event_list.extend(
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 1041, in _GetAllEvents
    self.get_events()
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 183, in get_events
    return self.get_cal_service().events()
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 178, in get_cal_service
    credentials=self._google_auth())
                ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 171, in _google_auth
    auth.refresh_if_expired(self.credentials)
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/auth.py", line 26, in refresh_if_expired
    credentials.refresh(Request())
  File "/usr/local/lib/python3.11/dist-packages/google/oauth2/credentials.py", line 431, in refresh
    ) = reauth.refresh_grant(
        ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/google/oauth2/reauth.py", line 366, in refresh_grant
    _client._handle_error_response(response_data, retryable_error)
  File "/usr/local/lib/python3.11/dist-packages/google/oauth2/_client.py", line 68, in _handle_error_response
    raise exceptions.RefreshError(
google.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', {'error': 'invalid_grant', 'error_description': 'Token has been expired or revoked.'})

[dbarnett]

Could you peek in your ~/.gcalcli_oauth file with a text editor and see if you can find "232867676714.apps.googleusercontent.com" in there, or a different ID before the .apps.…? (It may be a binary file but I think the "apps.googleusercontent.com" part should still be visible if you tell your text editor to open it anyway.)

Also when this happens, does renewing with the same client_id/client_secret work, or do you have to update anything else?

[ZaxonXP]

Yes, the .apps.googleusercontent.com string is present in the oauth file.

By renewing you mean to do:

gcalcli --client-id=<ID>.apps.googleusercontent.com init

or do something elese? I tried this command, but gcalcli says that I should use one of the following commands (invalid choice error).

[dbarnett]

But is the ID in there "232867676714", was my question.

By renewing you mean to do …

I think on 4.4.0 init isn't a valid command, you'd need to use list or whatever placeholder command, but I was more asking what exactly you do when it tells you the token is expired to get it running for another 7 days.

[ZaxonXP]

No, there is no such string in the ID. Should I post it here?

If I do list command, then it list my calendar.
If I do the calw then I get this error.
But with any other option I cannot triger the init.

[dbarnett]

No, there is no such string in the ID. Should I post it here?

Nah, if it's not the old default then it would have to be one you set up. Just wanted to double check.

If I do the calw then I get this error.

Ah, weird! I did feel like I saw auth treated differently for calm/calw vs. list once a while back (#691 (comment)) but since I posted that I haven't seen any further weirdness like that. I wonder if there's some difference in the scopes used or something...

So IIUC you're saying that after you see this error...

1. gcalcli list still works fine
2. calw/calm fail with the RefreshError you posted above
3. to fix that you have to run gcalcli --client-id=xxx calw to refresh the authentication

?

FYI I'll probably add a gcalcli util inspect-auth command to simplify some of this auth troubleshooting in the future, but hopefully we can isolate the problem on your current install.

[dbarnett]

I wonder if there's some difference in the scopes used or something...

Looks like if there is a missing scope here it'd be https://www.googleapis.com/auth/calendar.events, which is needed for listing events but not for listing calendars. I looked through the code and didn't see anything else specialized for calw/calm vs. list... ultimately one does self.get_cal_service().events() where the other does self.get_cal_service().calendarList().list(). But on my system calw works fine without any explicit calendar.events scope being attached to my token.

I'll have to look into whether calendar scope is supposed to imply calendar.events with the same prefix or how that works for OAuth scopes. I see we only request the calendar scope explicitly in the auth flow.

[ZaxonXP]

I ran the following:

user@trekstor:~$ gcalcli --config-folder=/home/user/.config/gcalcli/new --client-id=797412254427-ulo8vk53ea8arjimabkahqjo8emte84j.apps.googleusercontent.com calw
Not yet authenticated. Starting auth flow...
NOTE: See https://github.com/insanum/gcalcli/blob/HEAD/docs/api-auth.md for help/troubleshooting.
You'll be asked for a client_secret that you should have set up for yourself in Google dev console.
Client Secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Now click the link below and follow directions to authenticate.
You will likely see a security warning page and need to click "Advanced" and "Go to gcalcli (unsafe)" to proceed.
Please visit this URL to authorize this application: https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=797412254427-ulo8vk53ea8arjimabkahqjo8emte84j.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&state=WsmhBeYCLqXXRRTjI43O27J7IBSoYk&access_type=offline
Traceback (most recent call last):
  File "/usr/local/bin/gcalcli", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/cli.py", line 142, in main
    gcal = GoogleCalendarInterface(
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 73, in __init__
    self._get_cached()
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 219, in _get_cached
    self.get_cal_service().calendarList().list(
    ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 178, in get_cal_service
    credentials=self._google_auth())
                ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/gcal.py", line 167, in _google_auth
    self.credentials = auth.authenticate(client_id, client_secret)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/gcalcli/auth.py", line 20, in authenticate
    credentials = flow.run_local_server(open_browser=False)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/google_auth_oauthlib/flow.py", line 458, in run_local_server
    self.fetch_token(
  File "/usr/local/lib/python3.11/dist-packages/google_auth_oauthlib/flow.py", line 285, in fetch_token
    return self.oauth2session.fetch_token(self.client_config["token_uri"], **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/requests_oauthlib/oauth2_session.py", line 406, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 427, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/parameters.py", line 441, in parse_token_response
    validate_token_parameters(params)
  File "/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/parameters.py", line 448, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/errors.py", line 399, in raise_from_error
    raise cls(**kwargs)
oauthlib.oauth2.rfc6749.errors.InvalidClientError: (invalid_client) Unauthorized

But why?

[dbarnett]

Agreed that's weird. The errors are coming from deep in google_auth_oauthlib deps so there's not a lot of self-contained troubleshooting info, but it does seem like for one reason or another gcalcli really doesn't like something about this 797412254427-ulo8vk53ea8arjimabkahqjo8emte84j.apps.googleusercontent.com client. That's something you got from a project you set up yourself in Google Cloud Console, right? Maybe if you check on the Google end there might be some kind of advisory message about the project? Have you tried creating a fresh "project" to see if the same issues repro with a new client?

[ZaxonXP]

I created a clean project with OAuth and for now it is working. Let's see it in a week if it start behaving wrongly.

[ZaxonXP]

Interesting today I ran the gcal util inspect-auth and that gave me the invalid token info like this:

path: ~/.local/share/gcalcli/oauth
format: pickle
client_id: 1005180736598-mjs63o3a6h4vss4me58tsdepa4q6ov6r.apps.googleusercontent.com
scopes: ['https://www.googleapis.com/auth/calendar']
valid: False
token_state: TokenState.INVALID
expiry: 2024-10-15 21:19:39.930954
expired: True

However when I do gcal calw I am getting the correctly displayed week calendar. :\

[ZaxonXP]

I also asked chatGPT about what to do in order to have non expiring secret. This is what I got

To use the Google Calendar API with the gcalcli tool and ensure that your credentials don’t expire every 7 days, you can follow these steps:

Step 1: Create a Service Account

1. Go to the Google Cloud Console: Navigate to Google Cloud Console.

2. Create a New Project: If you don't have a project, create one.

3. Enable the Google Calendar API:

   • Go to "APIs & Services" > "Library".
   • Search for "Google Calendar API" and enable it.

4. Create a Service Account:

   • Go to "IAM & Admin" > "Service Accounts".
   • Click "Create Service Account".
   • Provide a name and description, and click "Create".

5. Grant Permissions: Assign the "Editor" role (or a role that suits your needs).

6. Create a Key:

   • After creating the service account, click on it to open its details.
   • Go to the "Keys" tab and click "Add Key" > "Create New Key".
   • Choose "JSON" and download the key file.

Step 2: Share Your Calendar

1. Go to Google Calendar: Open Google Calendar.

2. Share Your Calendar:

   • Find the calendar you want to use in the left sidebar and click on the three dots next to it.
   • Select "Settings and sharing".
   • Under "Share with specific people," add the service account email (it looks like your-service-account@your-project-id.iam.gserviceaccount.com) and give it the appropriate permissions.

Step 3: Configure gcalcli

1. Install gcalcli: If you haven't already, you can install gcalcli via pip:

   pip install gcalcli

2. Create a Configuration File:

   • Create a file named gcalcli.yaml in your home directory (or in the .gcalcli directory).
   • Add the following configuration:

   [credentials]
   type: service_account
   project_id: your-project-id
   private_key_id: your-private-key-id
   private_key: |
     -----BEGIN PRIVATE KEY-----
     YOUR_PRIVATE_KEY
     -----END PRIVATE KEY-----
   client_email: your-service-account-email
   client_id: your-client-id
   auth_uri: https://accounts.google.com/o/oauth2/auth
   token_uri: https://oauth2.googleapis.com/token
   auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs
   client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/your-service-account-email

   Make sure to replace placeholders with the actual values from your JSON key file.

Step 4: Test gcalcli

Run a command like the following to check if everything is working:

gcalcli list

You should see your calendar events listed without the 7-day expiration issue. This setup allows gcalcli to authenticate using the service account, ensuring long-term access.

Would this work? Is gcalcli 4.5.1 using gcalcli.yaml file? Where that file should be placed? Is the ~/.config/gcalcli/ a correct place?

[dbarnett]

That config is utter nonsense it hallucinated afaik. Anyway everything about the token and whether it's valid is between Google and the client lib.

However when I do gcal calw I am getting the correctly displayed week calendar.

It'd be up to server implementation whether they instantly reject requests the moment the token expires. You can bet that it'll stop working very soon even if it's still somewhat working atm.

[dbarnett]

🤦 now I see that my client that hasn't been expiring has "Publishing status" set to "In production", not "Testing".

Mine says "Needs verification" still and I don't know why it wouldn't have the same limitations as others'. I did find this is exactly the expiration behavior they declare in their docs:

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days, unless the only OAuth scopes requested are a subset of name, email address, and user profile (through the userinfo.email, userinfo.profile, openid scopes, or their OpenID Connect equivalents).

[dbarnett]

I checked a similar project's instructions https://www.home-assistant.io/integrations/google/#scenario-2-you-do-not-have-credentials-set-up-yet and they also said to use "In production". I can update the instructions, but I'll need someone else to confirm that's working properly for them. #809 reported hitting a "Error 400: invalid_request" for some reason related to that Production status.

[ZaxonXP]

Yesterday the token expired, so I created a new one in the project with the Production status. When I checked the gcalcli util inspect-auth it say that the token is expired. However, when I checked the Google connections page, it say that the access will not expire. Let's see in a week if this is really true.

[dbarnett]

Excellent, thanks again for helping test.

For snags with existing tokens, please check if you can redo any setup under the client after changing to "In Production" in case that helps anything. I'd imagine they at least try to invalidate existing tokens after that change. Wanted to ask @NuvolaF to see if that helps the snag they hit, too.

[ZaxonXP]

So, today is 1 day after a week treshold. Even gcalcli util inspect-auth shows that the token expired on expiry: 2024-10-23 00:48:04.710206 the gcalcli works correctly.

So the correct action would be to set the project to Production and after expiration generate another token.

[dbarnett]

Or delete and reset the token immediately. But you can confirm now you have a token showing expiry: none, and no other steps were needed in the project config?

[rleeden]

I checked a similar project's instructions https://www.home-assistant.io/integrations/google/#scenario-2-you-do-not-have-credentials-set-up-yet and they also said to use "In production". I can update the instructions, but I'll need someone else to confirm that's working properly for them. #809 reported hitting a "Error 400: invalid_request" for some reason related to that Production status.

I've been experiencing the 7-day token expiration issue too, and have been following this thread. I set up a new project under Google Cloud Console, and switched it to Production, hoping to resolve the problem. But now when I try to authorise the application, I also receive an Error 400 - but in my case it's "Error 400: redirect_uri_mismatch"

Full error details are:

Error 400: redirect_uri_mismatch

You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy.

If you're the app developer, register the redirect URI in the Google Cloud Console.
Request details: redirect_uri=http://localhost:55853/flowName=GeneralOAuthFlow

I've tried adding "http://localhost" as an Authorised redirect URI in the Google Cloud Console as suggested, but this hasn't helped. Not sure if I'm doing something wrong, or is there something else going on here?

[ZaxonXP]

Or delete and reset the token immediately. But you can confirm now you have a token showing expiry: none, and no other steps were needed in the project config?

In fact the command gcalcli util inspect-auth shows the following:

path: ~/.local/share/gcalcli/oauth
format: pickle
client_id: 1005180736598-mjs63o3a6h4vss4me58tsdepa4q6ov6r.apps.googleusercontent.com
scopes: ['https://www.googleapis.com/auth/calendar']
valid: False
token_state: TokenState.INVALID
expiry: 2024-10-23 00:48:04.710206
expired: True

But it is still working and the https://myaccount.google.com/connections page shows no info about upcomming expiration.

[dbarnett]

Ugh, shame it's getting weird, but at least we can repro issues easily. I'll try to bisect if there's something different about my setup that might be relevant.

[dekerser]

After following api-auth.md setup for 4.0.4-2 gcalcli (default for raspbian repo's) all worked fine on my headless rpi. But after a week gcalcli stopped working, i.e. gcacli list prompted to init. So started reading and in the end updated to 4.5.1. However my problem stayed, i.e. token expired after 7 days. The stack trace that followed on a "agenda" subcommand is as in a previous comment. The "list" subcommand just works.
So put my oauth2 gcalcli access project via console.cloud.google.com to status "In production" (via the "OAuth consent screen" menu item).
And recreated the renew token for gcalcli. Only after this step the myaccount.google gcalcli details page showed a "Access expires on: Does not expire". Before it showed a max 7 days expire period, which is the google default for projects in "Testing" state.
So hope this is the confirmation you are looking for. And is enough to go on to improve the api-auth.md information page.

p.s. to recreate the renew token I moved $HOME/.local/share/gcalcli/oauth to oauth-old and used the "init" subcommand, in fact I also had to do this whenever the renew key expired, else the "init" subcommand found credentials to be "ok". Perhaps a reinit subcommand could be an improvement (or did I miss the correct way to do this)?

[dbarnett]

Thanks! Still a little confused about the 4xx errors people are seeing but I should probably go ahead and update the doc with info we have so far.

init is supposed to prompt you to redo auth if it's already authenticated, but it's possible there's a bug with that.

[dekerser]

My bad: with init, indeed it is working. I was using an ssh from a powershell to my rpi. The powershell isn't showing the "Ignore and refresh? [N]o [y]es:". Just the "Credentials already configured." is visible, and blancs are where the question should be. When I entered it just returned to the prompt (as No is the default). So now I retried it using an cygwin Xterm and this terminal did show the yes/no question. Probably the powershell doesn't like the ascii color codes...

About the 4xx errors I'm not really surprised. I tried the remote server options on "init" (so with --noauth_local_server) but I couldn't get them to work. In the process tried to replace localhost with ip-addresses in the links given by gcalcli but that often resulted in 4xx errors :-). In the end, decided that is was probably firewall related on the rpi side and gave up. So I setup X11 (client side) on rpi and cygwin X11 server on my windows pc. Now I can do a "ssh -Y pi" and start a chromium on the pi to display on my pc. Which makes it possible to set gcalcli up using a local browser without using port forwarding.

[rleeden]

I've been experiencing the 7-day token expiration issue too, and have been following this thread. I set up a new project under Google Cloud Console, and switched it to Production, hoping to resolve the problem. But now when I try to authorise the application, I also receive an Error 400 - but in my case it's "Error 400: redirect_uri_mismatch"

Full error details are:

Error 400: redirect_uri_mismatch

You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy.

If you're the app developer, register the redirect URI in the Google Cloud Console.
Request details: redirect_uri=http://localhost:55853/flowName=GeneralOAuthFlow

I've tried adding "http://localhost" as an Authorised redirect URI in the Google Cloud Console as suggested, but this hasn't helped. Not sure if I'm doing something wrong, or is there something else going on here?

I deleted and recreated a new project under Google Cloud Console, set it to Production and managed to run the auth command successfully this time ... no 4xx errors. I don't know what I did differently, but the auth worked, and it's been over 7 days and gcalcli is still working.

[dbarnett]

K awesome, so we still have some unknowns lurking but they probably have workarounds. I'll get the instructions updated and finally get this issue closed out!

And if anyone does hit further 4xx issues with Production mode and is willing to follow up with Google support to understand what's happening there, we might be able to finally resolve the remaining unknowns.

[zzvara]

Could you help clarify some questions regarding the state of the art?

• Is there a security concern about publishing the application to production on the Google OAuth consent screen?
• Will publishing the application to production solve the token expiry issue?
  

Thanks!

[dbarnett]

1. No security concern. That just disables some testing features and enables normal operation.
2. "Production" status solves the expiry issue, yes (as long as it doesn't somehow break the client).

Another question you didn't ask, but might wonder, is whether having it be "in review" after you switch to "Production" mode prevents it from working, and from what I've heard: no that shouldn't matter.

Those answers will be in the auth doc once we confirm and get the doc updated.

[PMDant]

When I try to publish, gcalcli stops returning current date items and starts returning from a single date. Not sure if it's a gcalcli issue or the fact that google wants me to pay to truly publish. Has anyone else seen this behavior?

[dbarnett]

That has to be something else going on, no way the behavior of gcalcli and the API depends on the state of your auth client. That only affects the permission for making the API requests.

[PMDant]

That's what I was figuring but as soon as I drop back to testing everything works as designed including the 7 day auth for testing apps. Are you guys running "paid" accounts when you set the app to published?

[ZaxonXP]

@PMDant: I only use free version of Google services and it is working correctly.

[PMDant]

Hu I'll have to play with it some more and see. Thanks @ZaxonXP

[ntzb]

Hi, it seems I'm facing the same issue.
configured according to the wiki, and after some days, trying to import an ics file throws an exception, ending with:
oauth2client.client.HttpAccessTokenRefreshError: invalid_grant: Token has been expired or revoked.
moving the project from testing to production is impossible because it needs verification, as the instructions said to add calendar permissions.

is there a solution? how is anyone using gcalcli without having to recreate token after a few days?

[rleeden]

Hi, it seems I'm facing the same issue. configured according to the wiki, and after some days, trying to import an ics file throws an exception, ending with: oauth2client.client.HttpAccessTokenRefreshError: invalid_grant: Token has been expired or revoked. moving the project from testing to production is impossible because it needs verification, as the instructions said to add calendar permissions.

is there a solution? how is anyone using gcalcli without having to recreate token after a few days?

I've been using gcalcli successfully for several months now, without the need to recreate tokens. So it is possible!

It took me a few attempts at getting my project set-up correctly, and I wasn't ever sure what I did differently. My project is set to production (which I believe is a key requirement), without the need for verification. From what I understand, various things can trigger the verification process, such as adding a logo, app domains or other branding, so leave your project as plain and simple as possible.

Good luck!

[ntzb]

I've been using gcalcli successfully for several months now, without the need to recreate tokens. So it is possible!

It took me a few attempts at getting my project set-up correctly, and I wasn't ever sure what I did differently. My project is set to production (which I believe is a key requirement), without the need for verification. From what I understand, various things can trigger the verification process, such as adding a logo, app domains or other branding, so leave your project as plain and simple as possible.

Good luck!

Hi, I will try according to your experience.
a few questions, if you can:

1. did you Enable the Google Calendar API?
2. do you have any calendar scopes added? this specifically triggers the verification need (if added before publishing to production)

[rleeden]

Hi, I will try according to your experience. a few questions, if you can:

1. did you [Enable the Google Calendar API](https://console.developers.google.com/apis/api/calendar-json.googleapis.com/)?

YES - Google Calendar API is enabled

2. do you have any [calendar scopes added](https://console.cloud.google.com/auth/scopes)? this specifically triggers the verification need (if added before publishing to production)

NO - No scopes added