Unable to Refresh token - Custom Application - OAuth2.0 - "error: invalid_grant"

Hi @rbarbosa, @pchristensen, @smartoneinok, @CodeBoxSeb,

Can you guys please help me here. any insights would be really helpful.

Thanks, Sarin

HI

Normally when you get invalid token it is because the token is actually invalid, rather than eg. expired. First I would check that the token is not truncated or anything like that during the storage and retrieval process. Does this work if you store it somewhere else like a text file and then try?

Also, your cURL example is not going to work. The token refresh endpoint can use application/x-www-form-urlencoded encoding, not JSON like in your example. See https://developer.box.com/reference/post-oauth2-token--refresh/

Rgds

Peter

Hi @pchristensen,

I cross checked if i we are re-formatting or truncating the received tokens.

I just tried again using the curl example you pointed out. I am getting the same error.

Also please check this documentation from box where it shows the earlier format of CURL command - [here] (https://developer.box.com/guides/authentication/tokens/refresh/)

This time, i used the refresh token, which i just received (even before storing it in database)

Is there any application specific settings or permissions or license, that could cause this??

Thanks,

Sarin

Ok, @ostefaniuk seems to be a discrepancy in the documentation on how to refresh tokens.

Refreshing tokens should ideally just work for OAuth2.0 apps, no settings or license needed. The only way I can reproduce the error message “Invalid refresh token” is when I generate the token with one client_id/secret and then try to refresh using a different client_id/secret from antoher OAuth2.0 app. Can we rule that out as well?

Hi @pchristensen,

I have only a single custom app created and i use the ClientId and ClientSecret of that application only.

I just verified it, and we are only using a single clientId and clientSecret for generating token and refreshing token.

Is there any other ways to debug this issue?

What if share the exact datetime of the action, can you check the logs from your end?

Thanks, Sarin.

Hi @sarin-vt,

Thank you for reporting your issue. Our team has updated the sample code on the refresh token guide in the documentation page.

Would you be able to check if the issue persists if you use a free developer account? I’d be grateful if you could set up a new free developer account [Box] with a different e-mail address, create a new app and test the app you’re developing with updated credentials? This way we’ll check if the issue is consistent across different accounts.

Best,

Olga

Hi folks,

This happens to me a lot, so I just wanted to share my use case.

I have a lot of OAuth 2.0 Box apps and use them in many different places, from python scripts to Postman, etc, and I don’t keep a good record of which box app is being used for what.

When we refresh an access token, we get both a new access and refresh token.

If 2 applications are requesting this for the same app and user, the tokens become miss matched, and that could explain what you are experiencing, although I would expect a invalid token error message (I don’t remember the exact error message I get).

For example, let’s say I have Postman setup correctly for Box app A, made a few calls, got an access and refresh token.

Later in a python script I’m authorize the same app, and get a new access and refresh token.

A few days later I go back to Postman, and I get the refresh error.

Cheers

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.