Refresh token returns invalid grant type

5
votes

I'm trying to refresh the access token (based on https://docs.wso2.com/display/IS510/Refresh+Token+Grant) obtained from wso2 identity server; the server returns an invalid grant type response

{
  "error": "invalid_grant",
  "error_description": "Provided Authorization Grant is invalid"
}

The access token is obtained using the "authorization code" grant type with the openid scope.

I've turned on the logging on the server; however, I'm not able to determine the reason for the invalid grant type response. How can i get the WSO2 Identity Server to refresh my access token using the refresh token?

Logs from the server:

TID: [-1234] [] [2016-03-14 09:20:11,241] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID CHao3ZYUVY6tRX4jJ82yzh4NVpka, User ID null, Scope : [openid] and Grant Type : refresh_token

TID: [-1234] [] [2016-03-14 09:20:11,241] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: CHao3ZYUVY6tRX4jJ82yzh4NVpka TID: [-1234] [] [2016-03-14 09:20:11,241] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : refresh_token Strict client validation set to : null

TID: [-1234] [] [2016-03-14 09:20:11,242] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were fetched from the database. TID: [-1234] [] [2016-03-14 09:20:11,242] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : CHao3ZYUVY6tRX4jJ82yzh4NVpka

TID: [-1234] [] [2016-03-14 09:20:11,243] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were added to the cache for client id : CHao3ZYUVY6tRX4jJ82yzh4NVpka

TID: [-1234] [] [2016-03-14 09:20:11,245] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler} - Invalid Refresh Token provided for Client with Client Id : CHao3ZYUVY6tRX4jJ82yzh4NVpka

TID: [-1234] [] [2016-03-14 09:20:11,245] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Invalid Grant provided by the client Id: CHao3ZYUVY6tRX4jJ82yzh4NVpka

TID: [-1234] [] [2016-03-14 09:20:11,246] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - OAuth-Error-Code=invalid_grant client-id=CHao3ZYUVY6tRX4jJ82yzh4NVpka grant-type=refresh_token scope=openid

2
wso2wso2is
Hi Hank. Did you ever find a solution for this?Jonathan Williams
@JonathanWilliams checkout my resent solution to this and see if it solves your problem.LivePwndz
Jonathan, sorry for the delayed response. I've not found a viable solution for the device. However, if you have the session cookies (web applications) of the original authentication request, and pass these cookies during the refresh of the token, then it works.Hank

2 Answers

2
votes

Question is old... Hopefully it can help someone else after this long ;). I had the same issue. However, I resolved it by specifying the exact refresh token. It's worth noting that refresh_token is different from the access token. If you don't have/know your refresh_token, use this curl command to get it.

curl -k -d "grant_type=password&username=<username>&password=<password>" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

response will be like this: { "scope": "default", "token_type": "Bearer", "expires_in": 2604, "refresh_token": "7d6e9047d44a84e6bae7e80e3996182d", "access_token": "4255a34923eb464b6dc2983acffef4d8" }

then use that refresh_token in your renew token curl call. more details on the 1st curl request here Peace out .V.

0
votes

Please have a look in to this blog which explained cURL command and it's content.Hope this blog will resolve your issue.