Google Search Console integration breaks after 7 days due to expiring OAuth tokens

[bobsoap]

Past Issues Searched

• I have searched open and closed issues to make sure that the bug has not yet been reported

Issue is a Bug Report

• This is a bug report and not a feature request, nor asking for self-hosted support

Using official Plausible Cloud hosting or self-hosting?

Self-hosting

Describe the bug

Via plausible/analytics#690, only that the number of websites set up is not a factor.

The instructions to integrate Google Search Console with Plausible (https://github.com/plausible/community-edition/wiki/google-integration) use an external user type and a publishing status of "Testing" in Google Cloud Platform.

However, it seems that GCP rotates the OAuth token every 7 days in this constellation:

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days, unless the only OAuth scopes requested are a subset of name, email address, and user profile
via https://developers.google.com/identity/protocols/oauth2

Thanks to @mheland for finding this out.

Following these instructions gives us Google Search Console keywords for max. 7 days before the connection fails with error "invalid_grant" due to the expired token. The only remedy is to unlink the Google account and go through the setup process again from scratch, which is extremely tedious.

Perhaps it's possible to refresh the API token every n days (e.g. 6, if keeping track of the date it was added)?

Expected behavior

Once linked, the Google Search Console integration should persist and not expire for good after 7 days.

Screenshots

No response

Environment

- Plausible CE v2.1.1

[flipzoom]

I had the same problem back then. The solution for me was not to leave the app in test mode, but to actually publish it and go live. Since then, the connection has remained intact.

[mpas97]

As you describe, it's a policy enforced by Google. If the refresh token expires after 7 days, then you will need to redo the login flow from scratch. That's how OAuth (especially refresh tokens) works. See (last section): https://www.oauth.com/oauth2-servers/making-authenticated-requests/refreshing-an-access-token/

So your request Perhaps it's possible to refresh the API token every n days (e.g. 6, if keeping track of the date it was added)? -> The access token is already renewed with like every API call (using the refresh token). So again, if the refresh token expires, you need to relogin (relink in this case). As was written in the last comment, if you publish the app Google removes that expiration policy so the refresh token stays valid (with which access tokens can then be renewed also after one week). So Plausible can't do much here.

[ruslandoga]

Thank you all for the information!

Since it's a documentation issue I'm moving it to the community edition repo. I'll go through publishing an OAuth app on Google and update the Google integration guide with the new screenshots this week.