Error refreshing the OAuth2 token invalid_grant

Google Cloud Platform OAuth

Google OAuth invalid grant

Trying server side interaction between Google App Engine and Google Compute Engine services with use of service account I stucked with this error message:

Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }'' in /includes/Google/Auth/OAuth2.php:330.

A few days of testing, experiments, “googling” Internet, and miscellaneous shamanic dances with a tambourine around “Google APIs Client Library for PHP” source code and the sample example of its usage did not allow me to make even a little step forward. Trying various variants with service-account.php (recreate service account, replacing private key file, trying other, default service account with client secret loading from JSON file) did not help and I still was on the same place with the same error. That was funny to resolve finally this issue and smile to myself, how the small mistake at very begin may cost a lot of time to fix it.
I used Google service account, created especially to for interaction between Google servers. The problem was related to the service account name I used in the code taken from service-account.php example:

Service Account authentication example

Service Account authentication example


When I found “service_account_name” in the example code and at the PHP Google APIs library source code, I remembered that I saw exactly that term somewhere in the Google developer console. The 1st link from Google search on “google app service account name” keywords
Google search app engine service account name

Google search app engine service account name


returns me the link to the article
Google App Service Account Name

Google App Service Account Name


which shows where to find my Google App project Service Account name – Application Settings at the Google App Engine console:
Google App Engine Service Account Name

Google App Engine Service Account Name


This service account name I inserted into my test example. It seems was right search for the right information. But it leaded me to the permanent wrong result:

Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }'' in /includes/Google/Auth/OAuth2.php:330

Problem was gone when I replaced Google App project service account name with the service account email from APIs & AUTH – Credentials page, which is finally the right place to take all the credentials to work with this API:

APIS & AUTH - Credentials

APIS & AUTH – Credentials

Conclusion: Service account name to use in the Google API PHP library is the email assigned by Google to your new created service account at the Google Developer Console “APIs & AUTH – Credentials” page (look on the screenshot above).

Little advice – if you don’t wish to lose a lot of time struggling with strange errors start your adventure with Google API PHP library from this link. It will help you to make less mistakes than someone other (do you guess who?) already did :).