I'm trying to refresh a token but Keycloak returns a 400 Bad Request error with following message:
{
"error": "invalid_grant",
"error_description": "Invalid refresh token"
}
I successfully get the refresh token in a request like this:
curl --location --request POST 'http://localhost:8080/auth/realms/my_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=my_user' \
--data-urlencode 'password=my_password' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=my_client_id' \
--data-urlencode 'client_secret=my_client_secret'
So I get a JWT response with access token and refresh token. Both of them appear to be valid as I load them in jwt.io.
But when I try to use the refresh token I get previous error. The request is like this:
curl --location --request POST 'http://localhost:8080/auth/realms/my_realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=my_client_id' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=my_refresh_token' \
--data-urlencode 'client_secret=my_client_secret'
In Keycloak's log there is no clue of what the problem is.
Waht could be the cause? Or at least, is there a way to get more info on the cause of the error from Keycloak' response or log?
EDIT:
I have implemented an User Storage Provider SPI so it does the authentication against an external DB but it doesn't manage users into Keycloak. Is it needed that the token owner user exists in Keycloak so refreshing the token works?
Thanks.
