Basically the OAuth2 flow looks like this:
- Store some info about the requested credentials in the admin session for the user.
- Redirect the user to the page to request permission via Google OAuth2.
- User allows access to Google Analytics.
- User gets redirected back to the admin area (that's the URL you saw that had the code=xxxxx in it.
- System retrieves the credential info stored in the admin session for the user in step #1.
- Exchange the one-time use code with an OAuth2 Access token.
The best I can tell, it's failing at step #5... retrieving the info that was supposed to be stored in step #1 from the user's admin session.
If the admin session for the user was somehow reset, reloading the URL with the code=xxxx in it won't help because the missing bit of info from the session is needed.
I'd maybe just try the
Link Google account
button again. If XenForo requires you to re-login when you are returned, that's going to be a sign that the user's admin session disappeared.
Also, not sure what would happen if you denied the permission request, but it definitely won't work if you deny the requested permission (it doesn't ask for the permission "just because", it asks because it's needed).