Refresh Token Invalid


#1

I’ve been having trouble using the refresh token obtained during an oauth flow. I’ve actually never been able to get it to work properly, but it’s becoming a bigger issue as our project matures. As per the example at the end of the docs, this is my curl request, I’ve just recently been testing it from command line to make sure there isn’t some unknown variable in another library:

curl -X POST -u my-client-id-2456:myclientsecret \
-d grant_type=refresh_token -d refresh_token=myrefreshtoken \

Obviously I’ve replaced the client ID, secret, and refresh token with my actual credentials. This refresh token was obtained 2 days ago, and I always get a response of:

{"error":"invalid_grant","error_description":"Invalid refresh token"}

Any help would be greatly appreciated!


#2

For all practical purposes, it’s impossible to use the refresh token.

The problem is that you need to specify the client ID and secret, which essentially makes it the same as regular token grant, so there’s really no reason to use the refresh token as it’s currently implemented.


#3

I am, in fact, supplying the client ID and secret… How can I implement getting a new token before the existing one expires without interaction from the end user?


#4

Oh, sorry, you did include that in your curl command.

What type of client token are you trying to create? A customer token? For simple auth or two-legged auth?


#5

Simple OAuth… it is in the curl command after the -u flag, should it be somewhere else?


#6

I am having the same issue and am using two-legged auth.

My curl command is the same as @zaphod-42 -

curl -X POST -u my-client-id-7822:myclientsecret \
-d grant_type=refresh_token -d refresh_token=myRefreshToken \
https://api.particle.io/oauth/token

Interestingly, if I try to refresh an access token I have just received - ie

curl -u my-client-id-7822:myclientsecret -d grant_type=client_credentials \
-d scope=customer=joe.bloggs@example.com https://api.particle.io/oauth/token
curl -X POST -u my-client-id-7822:myclientsecret \
-d grant_type=refresh_token -d refresh_token=myRefreshTokenFromPreviousRequest \
https://api.particle.io/oauth/token

It works, but when I try to refresh tokens from ~70 days ago, I get the same response:

400 error

{
    "error": "invalid_grant",
    "error_description": "Invalid refresh token"
}

#7

Thanks for posting these details. We’ll get to the bottom of this.

One clarification regarding refresh tokens: currently (February 2019) only password grant is supported for the default client (particle:particle). So if you are not using a proper OAuth client, refresh tokens won’t work. If you are using a proper OAuth client, refresh tokens work.

Refresh tokens can only be used once. When you use the refresh token, you’ll get another one that you have to store and use next time.

In the case of @jryd I see the refresh token has been used up. This may be the case for @zaphod-42 as well.

Here’s an example of using refresh tokens.

# create a token with grant type password or client_credentials, with or without a customer=a@b.com scope and get an access_token and refresh_token
$ curl -X POST -u two-legged-auth:________________________________________ \
    -d grant_type=client_credentials https://api.particle.io/oauth/token
{
  "token_type": "bearer",
  "access_token": "e920____________________________________",
  "expires_in": 7776000,
  "refresh_token": "b45f____________________________________"
}

# use the refresh token
$ curl -X POST -u two-legged-auth:________________________________________ \
    -d grant_type=refresh_token \
    -d refresh_token=b45f____________________________________ \
    https://api.particle.io/oauth/token
{
  "token_type": "bearer",
  "access_token": "e03c____________________________________",
  "expires_in": 7776000,
  "refresh_token": "2b74____________________________________"
}

# try using the same refresh token later
$ curl -X POST -u two-legged-auth:________________________________________ \
    -d grant_type=refresh_token \
    -d refresh_token=b45f____________________________________ \
    https://api.particle.io/oauth/token
{
  "error": "invalid_grant",
  "error_description": "Invalid refresh token"
}

# use the new refresh token
$ curl -X POST -u two-legged-auth:________________________________________ \
    -d grant_type=refresh_token \
    -d refresh_token=2b74____________________________________ \
    https://api.particle.io/oauth/token
{
  "token_type": "bearer",
  "access_token": "069b____________________________________",
  "expires_in": 7776000,
  "refresh_token": "51a9____________________________________"
}

#8

Thank you for that, somehow in my troubleshooting I completely overlooked the fact the the refresh token may have been used… I was grabbing the token out as soon as I retrieved it on my server, but had forgotten that I was forcing a refresh for testing immediately :man_facepalming:

Thanks for helping