Refresh Token Invalid

zaphod-42 · February 7, 2019, 5:08pm

I’ve been having trouble using the refresh token obtained during an oauth flow. I’ve actually never been able to get it to work properly, but it’s becoming a bigger issue as our project matures. As per the example at the end of the docs, this is my curl request, I’ve just recently been testing it from command line to make sure there isn’t some unknown variable in another library:

curl -X POST -u my-client-id-2456:myclientsecret \
-d grant_type=refresh_token -d refresh_token=myrefreshtoken \

Obviously I’ve replaced the client ID, secret, and refresh token with my actual credentials. This refresh token was obtained 2 days ago, and I always get a response of:

{"error":"invalid_grant","error_description":"Invalid refresh token"}

Any help would be greatly appreciated!

rickkas7 · February 7, 2019, 5:34pm

For all practical purposes, it’s impossible to use the refresh token.

The problem is that you need to specify the client ID and secret, which essentially makes it the same as regular token grant, so there’s really no reason to use the refresh token as it’s currently implemented.

zaphod-42 · February 7, 2019, 5:36pm

I am, in fact, supplying the client ID and secret… How can I implement getting a new token before the existing one expires without interaction from the end user?

rickkas7 · February 7, 2019, 6:26pm

Oh, sorry, you did include that in your curl command.

What type of client token are you trying to create? A customer token? For simple auth or two-legged auth?

zaphod-42 · February 7, 2019, 6:34pm

Simple OAuth… it is in the curl command after the -u flag, should it be somewhere else?

jryd · February 7, 2019, 10:41pm

I am having the same issue and am using two-legged auth.

My curl command is the same as @zaphod-42 -

curl -X POST -u my-client-id-7822:myclientsecret \
-d grant_type=refresh_token -d refresh_token=myRefreshToken \
https://api.particle.io/oauth/token

Interestingly, if I try to refresh an access token I have just received - ie

curl -u my-client-id-7822:myclientsecret -d grant_type=client_credentials \
-d scope=customer=joe.bloggs@example.com https://api.particle.io/oauth/token

curl -X POST -u my-client-id-7822:myclientsecret \
-d grant_type=refresh_token -d refresh_token=myRefreshTokenFromPreviousRequest \
https://api.particle.io/oauth/token

It works, but when I try to refresh tokens from ~70 days ago, I get the same response:

400 error

{
    "error": "invalid_grant",
    "error_description": "Invalid refresh token"
}

jvanier · February 8, 2019, 2:58pm

Thanks for posting these details. We’ll get to the bottom of this.

One clarification regarding refresh tokens: currently (February 2019) only password grant is supported for the default client (particle:particle). So if you are not using a proper OAuth client, refresh tokens won’t work. If you are using a proper OAuth client, refresh tokens work.

Refresh tokens can only be used once. When you use the refresh token, you’ll get another one that you have to store and use next time.

In the case of @jryd I see the refresh token has been used up. This may be the case for @zaphod-42 as well.

Here’s an example of using refresh tokens.

# create a token with grant type password or client_credentials, with or without a customer=a@b.com scope and get an access_token and refresh_token
$ curl -X POST -u two-legged-auth:________________________________________ \
    -d grant_type=client_credentials https://api.particle.io/oauth/token
{
  "token_type": "bearer",
  "access_token": "e920____________________________________",
  "expires_in": 7776000,
  "refresh_token": "b45f____________________________________"
}

# use the refresh token
$ curl -X POST -u two-legged-auth:________________________________________ \
    -d grant_type=refresh_token \
    -d refresh_token=b45f____________________________________ \
    https://api.particle.io/oauth/token
{
  "token_type": "bearer",
  "access_token": "e03c____________________________________",
  "expires_in": 7776000,
  "refresh_token": "2b74____________________________________"
}

# try using the same refresh token later
$ curl -X POST -u two-legged-auth:________________________________________ \
    -d grant_type=refresh_token \
    -d refresh_token=b45f____________________________________ \
    https://api.particle.io/oauth/token
{
  "error": "invalid_grant",
  "error_description": "Invalid refresh token"
}

# use the new refresh token
$ curl -X POST -u two-legged-auth:________________________________________ \
    -d grant_type=refresh_token \
    -d refresh_token=2b74____________________________________ \
    https://api.particle.io/oauth/token
{
  "token_type": "bearer",
  "access_token": "069b____________________________________",
  "expires_in": 7776000,
  "refresh_token": "51a9____________________________________"
}

zaphod-42 · February 12, 2019, 3:07am

Thank you for that, somehow in my troubleshooting I completely overlooked the fact the the refresh token may have been used… I was grabbing the token out as soon as I retrieved it on my server, but had forgotten that I was forcing a refresh for testing immediately

Thanks for helping

Topic		Replies	Views
How to use the Refresh Token <redux> Cloud	2	921	August 30, 2018
Refresh token or create new token when access_token expired iOS photon	1	862	June 18, 2021
How to use the Refresh Token? Cloud	5	3502	January 18, 2016
Generating OAuth Access Tokens through Ajax Troubleshooting	0	2652	January 28, 2016
Access and refresh tokens for customers Android	1	727	February 26, 2021

Refresh Token Invalid

Related Topics