Google Gemini CLI OAuth Fails with 'AbortError: This operation was aborted'
Authentication flow fails when the OAuth callback server on localhost:8085 cannot capture the redirect, causing an AbortError during token exchange.
๐ Symptoms
The Google Gemini CLI OAuth flow terminates prematurely with the following error sequence:
โ Exchanging authorization code for tokens
โ Gemini CLI OAuth failed
โ OAuth help โโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ
โ Trouble with OAuth? Ensure your โ
โ Google โ
โ account has Gemini CLI access. โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
AbortError: This operation was aborted
The authentication sequence progresses through these stages before failing:
- Browser opens โ The system browser launches for Google sign-in
- User authenticates โ Google account credentials are submitted
- Callback fails โ The redirect to
localhost:8085is not captured - AbortError thrown โ The token exchange operation is terminated
The issue occurs on macOS 15.4 (Sonoma) with Homebrew-installed OpenClaw v2026.3.8.
Affected configurations:
- Model selection: Google (Gemini API key + OAuth)
- Auth method: Google Gemini CLI OAuth (unofficial flow)
๐ง Root Cause
The AbortError originates from the OAuth callback server failure. The underlying sequence is:
1. Callback Server Registration Failure
The OpenClaw OAuth handler registers an HTTP server on localhost:8085 to intercept the Google redirect. On macOS, the native open command launches the browser, but the local server may fail to bind or accept connections due to:
- Port 8085 already in use โ Another process holds the port
- Socket not yet ready โ Server binding race condition
- Firewall/network restrictions โ localhost traffic blocked or proxied
2. Timeout During Authorization Code Exchange
When the callback server fails to respond within the expected window, the underlying fetch operation that exchanges the authorization code for tokens is aborted:
// Simplified representation of the failure path
fetch(tokenEndpoint, {
method: 'POST',
body: new URLSearchParams({ code, ... })
}).catch(err => {
if (err.name === 'AbortError') throw err;
});
3. Regression Analysis
The unofficial Gemini CLI OAuth flow relies on a non-standard endpoint (https://gemini.google.com/api/auth/token) that changed behavior in recent versions. The regression likely stems from:
- Token endpoint modification โ Google may have altered the unofficial OAuth endpoint
- Certificate/redirect URI changes โ The
http://localhost:8085callback may require additional configuration - Timeout value reduction โ The server startup wait time may be insufficient on macOS Sonoma
Technical Failure Chain
User Action โ Browser Launch (open command) โ
Callback Server Start (fails) โ
Authorization Response (missed) โ
Token Exchange (timeout) โ
AbortError thrown
๐ ๏ธ Step-by-Step Fix
Method 1: Kill Conflicting Processes on Port 8085
Before:
# Check what's using port 8085
lsof -i :8085
After:
# Kill any processes using the port
lsof -ti :8085 | xargs kill -9 2>/dev/null || true
# Retry authentication
openclaw auth google --provider gemini
Method 2: Use Alternative Authentication Method
If the OAuth flow continues to fail, use the Google API key method instead:
Step 1: Obtain a Gemini API key from Google AI Studio
Step 2: Configure OpenClaw manually:
# Via CLI
openclaw config set providers.google-gemini.apiKey "YOUR_API_KEY"
openclaw config set providers.google-gemini.authMethod "api-key"
# Verify configuration
openclaw config get providers.google-gemini
Before vs After configuration:
# BEFORE (OAuth flow - broken)
openclaw config set providers.google-gemini.authMethod "oauth-cli"
# AFTER (API key method - stable)
openclaw config set providers.google-gemini.authMethod "api-key"
openclaw config set providers.google-gemini.apiKey "AIza..."
Method 3: Clear Corrupted OAuth Cache
# Remove OAuth tokens for Google Gemini
rm -rf ~/.config/openclaw/auth/google-gemini-oauth*
# Also clear browser-based OAuth state
rm -rf ~/.config/openclaw/auth/.oauth-state*
# Re-run authentication
openclaw onboard
Method 4: Wait for Server Initialization (Retry)
The callback server may need additional time to bind. Retry the flow with a slight delay:
# Ensure no lingering processes
pkill -f "openclaw.*oauth" || true
sleep 2
# Retry the authentication
openclaw onboard
๐งช Verification
Verify OAuth Token Creation (Post-Fix)
After applying the fix, confirm successful authentication:
# Run the authentication flow
openclaw onboard
# Check for successful token storage
ls -la ~/.config/openclaw/auth/
# Verify the token file exists and is valid JSON
cat ~/.config/openclaw/auth/google-gemini-token.json | jq '.'
Expected output:
{
"access_token": "ya29...",
"refresh_token": "1//...",
"expires_at": 1710000000,
"token_type": "Bearer"
}
Verify API Connectivity
Test that authenticated requests succeed:
# Test with a simple model list command
openclaw models list --provider google-gemini
# Or test an inline completion
openclaw complete "say hello" --provider google-gemini --model gemini-pro
Expected output:
โ
Successfully connected to Google Gemini API
โ
Authentication verified
Confirm Exit Code
openclaw auth verify --provider google-gemini
echo "Exit code: $?"
Expected: Exit code 0 with no error messages.
โ ๏ธ Common Pitfalls
- Port 8085 already in use โ Other applications (Zoom, Skype, development servers) may occupy the callback port. Use
lsof -i :8085to identify conflicts. - macOS Sonoma privacy protections โ System Integrity Protection or network extensions may block localhost traffic. Disable "Lockdown Mode" if enabled.
- VPN/proxy interference โ Corporate VPNs often redirect localhost traffic. Disconnect VPN before authenticating.
- Browser not receiving redirect โ If the browser closes before callback, the server never receives the authorization code. Use Chrome instead of Safari.
- Expired refresh token โ OAuth tokens expire. If the previous authentication was months ago, clear the cache and re-authenticate.
- Multiple OpenClaw instances โ Running
openclawin multiple terminals can cause port conflicts. Close all instances before re-authenticating. - Unofficial flow instability โ The "Gemini CLI OAuth (Unofficial flow)" depends on non-documented endpoints. Google may block or modify these without notice.
๐ Related Errors
ECONNREFUSED localhost:8085โ Callback server failed to start. Check if port 8085 is available.ETIMEDOUTon token exchange โ Network timeout when reaching Google's unofficial OAuth endpoint.401 Unauthorizedfrom Gemini API โ Access token is invalid or expired. Re-authenticate.- Browser shows "This page isn't redirecting properly" โ OAuth state parameter mismatch or callback URI misconfiguration.
- Error: Account does not have Gemini CLI access โ The Google account lacks proper permissions for the unofficial API. Use API key authentication instead.
- OAuth state mismatch error โ CSRF protection failed. Clear browser cookies and retry.