feat(oauth): auto re-authenticate on invalid_grant error#215
Merged
Conversation
When the cached refresh token is revoked or expired, detect the invalid_grant error during token validation and automatically fall through to the browser-based OAuth re-authentication flow instead of failing with an opaque error. Also adds cachingTokenSource to persist refreshed access tokens to the cache file on disk between runs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
karian7
force-pushed
the
feat/oauth-reauth-on-invalid-grant
branch
from
187fba9 to
3638fe6
Compare
karian7
force-pushed
the
feat/oauth-reauth-on-invalid-grant
branch
from
d614ed0 to
3638fe6
Compare
porjo
requested changes
Feb 22, 2026
PutToken overwrites the cache file with O_TRUNC on re-auth, so explicitly deleting it is unnecessary. Simplify to log a warning and fall through to re-authentication. Rename test to reflect actual behavior: cache file is preserved, not deleted, when invalid_grant is encountered.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
invalid_grant)cachingTokenSourceProblem
When the cached refresh token becomes invalid (e.g., Google Cloud app in "testing" mode where refresh tokens expire after 7 days, or token manually revoked),
BuildOAuthHTTPClientreturns a client that silently fails on the first API call with:The program exits with an error, requiring the user to manually delete the token cache file and re-run the command.
Additionally,
config.Client()does not persist refreshed tokens to disk, so the access token is only refreshed in memory and lost between runs.Solution
Proactive token validation: After reading the cached token, attempt a token refresh before returning the client. If the refresh fails with
invalid_grant, delete the stale cache file and fall through to the browser-based three-legged OAuth flow automatically.cachingTokenSourcewrapper: Wraps the standardoauth2.TokenSourceto persist any refreshed tokens back to the cache file on disk, so subsequent runs reuse the fresh token.IsInvalidGranthelper: Detectsinvalid_granterrors from bothoauth2.RetrieveError.ErrorCodeand error string fallback.Test plan
TestIsInvalidGrant— 6 subtests covering nil, unrelated errors,RetrieveErrorwith matching/different codes, wrapped errors, and string fallbackTestCacheFile_RoundTrip— token write/read round-tripTestCacheFile_DeletedOnInvalidGrant— cache file removal oninvalid_grantTestCacheFile_TokenReturnsErrorForMissingFile— missing file errorTestCacheFile_PutTokenOverwritesExisting— token overwrite behaviorTestRateLimitintegration test passes🤖 Generated with Claude Code