Mattermost, Inc.

Refresh_token-field is empty using Gitlab-Authentification

Summary

refresh_token-Field is empty using Gitlab-Authentification

Steps to reproduce

  • use Mattermost as OAuth2-Server and configure its authentification to Gitlab
  • obtain OAuth token object

Observed with Mattermost 3.6.2 / Gitlab 8.17.3

Expected behavior

  • the token object contains both filled values: “access_token” and “refresh_token”

Observed behavior

  • only “access_token” is filled
  • “sometimes” the refresh_token is filled, but I could not figure out under what circumstances it happens

Hi @wojtus

Could you try updating to the latest version of Mattermost (version 3.7.3) and see if the issue still reproduces for you?

Thanks!

With 3.7.3 I still can reproduce it.
When does the Mattermost-Application decide to send a refresh_token, and when not do it?
As I already wrote: infrequently I get a token with “refresh_token”-field filled. So I suppose, that it generally works, but maybe I am using it the worng way?

Thanks for the feedback @wojtus, I’ll ask for help on your question from our devs and get back to you…

I would be interested in the solution of this issue too, @lindy65, did your devs respond already?

Hi @fjakop,

Not yet - sorry, we’re quite busy with our current release due out on Monday, 17th. I’ll remind them as soon as they have a chance to have a look at this issue :slight_smile:

Thanks for your patience…

Hi guys,

Looks like there is a bug where we’re only returning a refresh token if the grant type is “authorization_code” and the client does not have an active token with the specific user.

I’ve created a ticket here https://mattermost.atlassian.net/browse/PLT-6357 to fix the issue. Sorry for the inconvenience

Pull request to fix the issue (and some others) is here: https://github.com/mattermost/platform/pull/6181

It will be included with the 3.9 release next month.