Problems with refreshing of OAuth tokens


#1

Summary

When I try to referesh a token, I allways get an “api.oauth.get_access_token.refresh_token.app_error” error with 404-http code.

Steps to reproduce

  • Request a Token -> acces & refresh tokens a created an returned
  • with those tokens initialize a refresh-grant -> leads to an error
  • MM Version: 3.9.0
  • I access OAuth with https://github.com/lelylan/simple-oauth2

Expected behavior

  • a new pair of tokens is returned

Observed behavior

  • I allways get
    {
    “name”: “Error”,
    “status”: 404,
    “message”: “Not Found”,
    “context”: {
    “id”: “api.oauth.get_access_token.refresh_token.app_error”,
    “message”: “invalid_grant: Invalid refresh token”,
    “detailed_error”: “”,
    “request_id”: /…/,
    “status_code”: 404
    }
    } as the anwer
  • after mattermost code-analysis I coud find out, that the refresh_token is not saved in the DB (OAuthAccessData-Table), but the acces_token from this pair is stored in the “token”-column

#2

Hi @wojtus,

Thanks for your feedback,

On our instance, Zapier is using the refresh token and we also have unit tests testing the refresh token so what you’re reporting might be a bug.

I’ve created this ticket to investigate.


#3

@wojtus have you tried the following

make a POST request to http(s)://<your-mattermost-instance-url>/oauth/access_token?grant_type=refresh_token&client_id=<your-client-id>&client_secret=<your-client-secret>&refresh_token=<the-refresh-token-provided-with-the-access-token>