Invalid refresh token

merggdev January 4, 2021, 11:11pm #1

I’m getting back {"status":400,"message":"Invalid refresh token"} when trying to refresh an access token.

I make the following request to refresh the token:
POST https://id.twitch.tv/oauth2/token?client_id=xxxx&client_secret=yyy&grant_type=refresh_token&refresh_token=zzz

Here is how my flow works:

Get code
Get access token/refresh/expire token from code
Save access token/refresh/expire token from code
When making request on behalf user, check if access token has expired. If so, refresh token using the request above and save to database
Make request using current token

Its possible that tokens aren’t being refreshed within the expiration time but to my understanding, refresh tokens do not expire on the expires_on date.

Any guidance to why I’m having this issue?

BarryCarlyon January 4, 2021, 11:13pm #2

Something caused the refresh token to die, this could be including but not limited to

user changed their password
user unlinked your application
user generated 25 tokens against your application ID (token 26 kills token 1 and may kill it’s refresh)

merggdev January 5, 2021, 12:35am #3

i know for sure they they didnt change password or unlink application.

when you say generated 25 tokens, wouldnt the way i store and use tokens avoid this? every single time i get a new token, i store it in the database along with the new refresh token and use that one from now on.

BarryCarlyon January 5, 2021, 12:38am #4

sure in theory.

But I didn’t list every possible

Just the most common, there are a bunch of unknown’s that could kill a token/refresh token

merggdev January 5, 2021, 1:33am #5

I can rule out users changing password or unlinking application because that should return 401:

When a user changes their password or disconnects an app, we delete all tokens for that user. Both refresh and access tokens for that user will return 401 Unauth

I can rule out the old token being killed because im always using the most recent token.

Is there a complete list of other reasons of what else could be going wrong?

BarryCarlyon January 5, 2021, 1:34am #6

No

merggdev January 5, 2021, 1:40am #7

@BarryCarlyon, do you have any other recommendations on how to troubleshoot? I’m only experiencing these issues under my production server, which manages many more accounts than my dev server. The dev server never has this issue

BarryCarlyon January 5, 2021, 1:41am #8

I just get my users to reauth when I lose a refresh token from working

merggdev January 5, 2021, 1:44am #9

@BarryCarlyon, its a business requirement that they dont have to reauth often. any work arounds?

BarryCarlyon January 5, 2021, 1:46am #10

Not that I know of

Whenever a token/refresh token dies the only solution is new tokens

For me if effects only one of my users