Get 403 forbidden error when using refresh token (possibly a defect?)

I first get a refresh token, then try to use this refresh token to retrieve another access token and id token, but get 403 forbidden. I have searched around but not find an answer to that.

Here is the screenshot of my postman.

The username and password is the client id and client secrect

The refresh token grant type is checked in the application settings.

I have tried the exactly same post body format with Azure AD and I was able to get the access token and id token using Azure refresh token (see the screenshot below), so I am wondering whether I need configure something else in the Okta IDP to make it work? or it is a defect in Okta?

No issue with Azure AD using refresh token in the same post body format.

is redirect_url the same which was used while getting access_token initially? also double check if scopes are all the same. Also verify that access policy for your AuthZ server allows usage of refresh_token

Yes. the redirect_url is the same.
scopes are the same.
the access policy has the refresh token enabled (unlimited).

Hmmmm, is refresh token valid if you check it against /introspect?

Also are you sure about your authorization server id? double check the endpoint address

I used the introspect endpoint and got 403 error too. Why???

username and password is client_id and client secret.

I see that for introspect you are checking /default but you should do it against the same authz server, where you got it from

Yes, I have two authorization servers. One is default, and the other is customized. I used default one above, and below the customized one. Still 403 error.
The refresh token is also from the customized authorization server.
Does refresh_token only work with paid accounts?

It is very strange that I am getting 403 error. I am sure I use the correct client id and client secret as the username and password. If I input an invalid client id, I get “errorCode”: “invalid_client”

I have no problem to get the access token, id token and refresh token using authorization code flow, which means the token endpoint, auth endpoint, client id, client secret, redirect uri and scopes are all accurate.

It is indeed an Okta defect to me.

refresh_token works for sure on all types of accounts, as long as Access Management API feature is enabled for it.

I just ran this scenario on my dev- org and it worked like charm: both refresh and retrospect. You are definitely doing something wrong. Try to parametrize (use placeholders) your requests in Postman, rather than copy/pasting values in

Thanks for checking.
I checked every aspect of the configurations but unfortunately, I didn’t find anything wrong.
I also read the okta help doc regarding the refresh token one more time but nothing helped.
I typed all parameter values except for token value in postman, still getting 403 error.
weird!

I finally got both /introspect and refresh token work after I cleared the cookies in the postman.
@phi1ipp Thank you for your help!

Oh, great news! I didn’t do anything, it’s you who made it working :slight_smile: