A 401 or 500 OAuth error occurs sometime after the Gmail connection is authorized. Whenever this error occurs, the connection must be reauthorized.
401: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie, or other valid authentication credential.
See https://developers.google.com/identity/sign-in/web/devconsole-project.
500 error example:
"kind": "OAuth Refresh Error",
"message": "HTTP Error: {\"error\":{\"status\":500,\"message\":{\"statusCode\":400,\"data\":\"{\\n \\\"error\\\": \\\"invalid_grant\\\",\\n \\\"error_description\\\": \\\"reauth related error (invalid_rapt)\\\",\\n \\\"error_uri\\\": \\\"https://support.google.com/a/answer/9368756\\\",\\n \\\"error_subtype\\\": \\\"invalid_rapt\\\"\\n}\"}}}",
- Gmail Connector
- Okta Identity Engine (OIE)
- Okta Classic Engine
Google Admin settings may require reauthentication for Google Cloud sessions after a certain time period. Currently, this will only affect the Gmail connector, not other Google connectors.
The Reauthentication policy in Google may be configured to require reauthentication for applications using the Google Cloud Platform scope. If Require reauthentication is enabled, Exempt Trusted Apps must also be enabled, and the Okta Workflows app for Gmail must be set as a trusted app.
- Navigate to admin.google.com.
- Navigate to Security > Access and data control > Google Cloud session control.
- Verify if Require reauthentication is selected:
- If yes, verify that Exempt Trusted Apps is checked.
- Okta Workflows should be set as a Trusted App under Security > Access and data control > API Controls, Manage Third-Party App Access.
