Score:0

Drupal

simple_oauth refresh token works only one time

Marwen Amri

3/21/24, 8:24 PM

I use the [simple_oauth][1] module to authenticate the user.

I have generated the first access_token using the grant_type=password.

then I have tried to get a new access_token using my refresh_token received from first request :

POST /oauth/token

grant_type:refresh_token
refresh_token:def50200d3c74fa2e41a886a6ff1...
client_secret:l0r3m1psum

the first time I execute the request it returns the new access_token :

{
    "token_type": "Bearer",
    "expires_in": 300,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJS..",
    "refresh_token": "def502002b9ce17870bc285427a6.."
}

the problem is the second time I run the same request it Doesn't works and I get 401 unauthorized with this HTML body :

{
    "error": "invalid_request",
    "error_description": "The refresh token is invalid.",
    "hint": "Token has been revoked",
    "message": "The refresh token is invalid."
}

for the second request I have used the same refresh_token(I'am sure it not expired I have set ttl to 78000 for test) :

POST /oauth/token

grant_type:refresh_token
refresh_token:def50200d3c74fa2e41a886a6ff1...
client_secret:l0r3m1psum

grant_type:refresh_token request will enable us to get new access_token as long as refresh token not expired?

but it is like getting expires after just executing a request one time , if I generate a new refresh_token using the grant_type:password in my case the grant_type:refresh_token request works fine .

but in [1]: https://www.drupal.org/project/simple_oauth

1 + 5

authentication-authorization

cilefen

3/21/24, 11:32 PM

Please show the second request. Did you use the new access token in the second request?

cilefen

3/22/24, 3:15 AM

I think this is the way refresh tokens work. You use them once.

Jaypan

3/22/24, 3:52 AM

As far as I know, Cliefen is correct. When you use the refresh token, it is expired, and you receive a new refresh token together with the new authorization token you requested.

Marwen Amri

3/22/24, 9:01 AM

@cilefen have added the second request to the question, and about using the refresh token once

Marwen Amri

3/22/24, 9:03 AM

@Jaypan but this refresh token has not expired yet , it is like it is expired directly after the first equest

Score:1

Drupal

cilefen

3/22/24, 11:05 AM

This is working as expected. You receive a new access token and refresh token. You must use those in subsequent requests.

+ 3

Jaypan

3/22/24, 1:45 PM

Cliefen is correct. Your first request to `/oauth/token` with the refresh token returned a NEW token. You need to replace the old token with the new token for the next request. Then when that next request is made, you will receive a NEW Oauth token, and replace the last one, and then you repeat forever.

cilefen

3/22/24, 2:05 PM

Actually the access token is usable during the expires_in time.

Jaypan

3/22/24, 2:26 PM

Good point. My post should have made it clear that the requests being referred to were only requests to the `/oauth/token` endpoint for `grant_type=refresh_token`, and not requests made to other endpoints.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: simple_oauth refresh token works only one time

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.