Revoked grant status

Hi,
I am trying to detect revoked grant events, i revoked access by deleting it via the google account but the status of the grant in the nylas dashboard remains valid,
is there a delay before the status changes to invalid.

Hi @saissaoui - thanks for messaging.

Just so I understand the user flow, you are trying to have the user revoke access via Google (i.e. provider), and then need to find a way to confirm if the Nylas grant_id has been revoked?

Just confirming, so I can try to reproduce the scenario.

Also, have you tried taking a look at the grant.expired webhooks?

Just one more way to confirm if the dashboard is not updated, is by doing a quick cURL command:

-curl --location  'https://api.us.nylas.com/v3/grants/{{grant_id}}' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <NYLAS_API_KEY>'

thank’s for the response, yes that’s what i am trying to do, i am waiting for a grant.expired event in the webhook i already set, but i did not receive it,
And i can confirm that the status is not updated because calling the https://api.us.nylas.com/v3/grants/{{grant_id}}

returns this :

{
    "request_id": "473bd679-d715-49d1-b30f-c202c9ad0531",
    "data": {
        "id": "2001ee62-d0bf-4277-9eea-5e19e52c47b5",
        "grant_status": "valid",
        "provider": "google",
        "scope": [
            "openid",
            "https://www.googleapis.com/auth/userinfo.email",
            "https://www.googleapis.com/auth/userinfo.profile",
            "https://www.googleapis.com/auth/calendar"
        ],
        "email": "sofiane.aissaoui@mym.fans",
        "settings": {},
        "ip": "13.37.149.164",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36",
        "created_at": 1715085033,
        "updated_at": 1715085110,
        "provider_user_id": "101515767368529394604"
    }
}

but when i call the calendars/availability endpoint i have this response

{
    "request_id": "b38cd1b6-4f9c-41e3-8052-45b07d7223b5",
    "error": {
        "type": "authentication_error",
        "message": "Error creating grant with provided OAuth params; provider details: {\"oauth2\":\"\\\"invalid_grant\\\" \\\"Token has been expired or revoked.\\\"\"}"
    }
}

Thanks for sharing the details, let me confirm this with the team and circle back!

I tried to reproduce the same and was able to invalidate a grant saw the following

  1. received the Webhook grant.expired:

{"specversion":"1.0","type":"grant.expired","source":"/nylas/system","id":"<ID>","time":1715113002,"webhook_delivery_attempt":1,"data":{"application_id":"<APP_ID>","object":{"code":25009,"grant_id":"<GRANT_ID>","integration_id":"<INTEGRATION_ID>","metric":344842,"provider":"google"}}}
  1. Saw the dashboard status as invalid

I went through Google’s App and Data Privacy to revoke the Nylas Sandbox App:

Also I tested the flow using pipedream to receive the Webhooks event.

Question for you - did you see the status eventually change to invalid or receive the Webhooks grant.expired? I did not see the changes immediately, but it was relatively quick (switched between a few apps and it was updated).

that’s exactly what i did, i deleted the connections from the google App an data privacy, but i see no changes, and i did receive no events, i tested this with two google accounts (my pro and my personal accounts) and they still have a valid grant status , but i still have a 401 response when i try to get the availabilities, with this error message

Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

which means that my grant is revoked i guess

Hello, I have a similar question.
How long does it take for grant_id to expire? I had implemented Nylas v3 Custom authentication, so I already have users Google Access and Refresh token. I can listen for grant.expired event and then in the background re-authenticate user again by sending RefreshToken to Nylas auth endpoint, right?
But, how to distinguish when grant_id gets expired because of elapsed time (the explained scenario above), and when it expires because user revoked access directly from his Google Account?
When user directly revoke access from his Google Account, I do not want to re-authenticate him.
Both when grant expires by it self and when user revoked access, the same grant.expired event is sent.

1 Like

to answer myself, I could try to re-authenticate user whenever grant.expired webhook event arrives. Re-authentication is simply sending Google’s RefreshToken on Nylas auth endpoint right?
So, when grant.expired webhook event arrives because grant had expired with time, re-authentication will work fine. And when grant.expired webhook event arrives because user revoked access, re-authentication won’t work because Google’s RefreshToken is no longer valid. And thats probably it.

1 Like

Hi @matej.djurin - thanks for the messages, and your last message makes sense, you can only use the refresh token if its active / valid.

1 Like

Hi @saissaoui - slightly perplexed why you do not receive invalid status, are you using your own Google credentials, have you tested this within using the Nylas sandbox environment?

I am using a pro Google account which belong to my company, and tested it in a staging nylas environment

1 Like

Hi @ram i am coming with some update, i made a test in the sandbox env, with my personal google account , and it works, i am receiving the grant.expired webhook event , do you think it’s the Google OAuth client config that can cause the problem?

Hi @saissaoui - its possible there is configuration missing with the Google OAuth Client Config - it could be that pub/sub was not enabled in the Google Project created.

Hi @ram , according to the nylas doc it’s not necessary if we don’t plan to use email api , and we are using only calendar api

If you plan to use the Nylas Email API with Google, you must set up Google Pub/Sub before you create a connector. If you don't plan to use the Nylas Email API with your GCP app (for example, if you're creating a calendar-only project), you can skip this step.

Let me confirm this step and will keep you updated.

So webhooks should be received if no pub/sub is setup, there may be a slight delay, but I don’t think this should cause an issue.

Let me see if I can reproduce this and circle back with updates.

1 Like