Refresh token cannot be used to obtain new access token

Answered

Follow

New post

pbaravik

• July 04, 2016 04:43

Hi,

 

1. Access token and refresh token are obtained (via Box Token generator) and stored in some storage;
2. For 1 hour API access works as expected;
3. After 1 hour API responds with 401 status code and header WWW-Authenticate: Bearer realm="Service", error="invalid_token", error_description="The access token provided is invalid."
4. Look like Box .NET SDK tries to refresh token pair with provided refresh token:
   
   

POST https://app.box.com/api/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: app.box.com
Content-Length: 193
Expect: 100-continue
Accept-Encoding: gzip, deflate

grant_type=refresh_token&refresh_token=XXX&client_id=ZZZ&client_secret=YYY

API responds with

HTTP/1.1 400 Bad Request
Server: ATS
Date: Mon, 04 Jul 20**removed**:19:34 GMT
Content-Type: application/json
Content-Length: 69
Cache-Control: no-store
Strict-Transport-Security: max-age=31536000; includeSubDomains
Set-Cookie: ...

Set-Cookie: ...
Age: 0
Connection: keep-alive

{"error":"invalid_grant","error_description":"Invalid refresh token"}

 

Where is the fault: in Box .NET SDK or in API? For me looks like that the refresh operation must return new pair of access token + refresh token.

0

• 

  pbaravik

  • July 04, 2016 07:40

  I found that the application on behalf of which access to documents is performed was setup for work with App users. May be this has some influence - I'll try to experiment

  0

  Comment actions Permalink
• 

  pbaravik

  • July 05, 2016 23:32

  So it turned out that test refresh tokens obtained via https://box-token-generator.herokuapp.com/ for some reason cannot be used to get a new access token. Using https://box-oauth2-mvc.azurewebsites.net instead solved the issue.

  0

  Comment actions Permalink

Please sign in to leave a comment.