Invalid grant and The refresh token is invalid or expired

I faced issue of bad request for default/v1/token endpoint
and with error message as follows
{"error":"invalid_grant","error_description":"The refresh token is invalid or expired."}

This happened after I logged in to an app after quite some time.

Something unusual I noticed is that after the /authorize call,
the call to default/v1/token had grant_type as refresh_token instead of authorization_code

Could this be the reason for bad request?
If yes when this would happen and how to correct it

can the above happen because of this ? Okta Workflows Connection Fails with “The refresh token is invalid or expired” error and requires reauthorization"

The most likely cause is that you’re trying to use an old, already-used, or expired refresh token. Refresh tokens are typically single-use - once used to obtain a new access token, the old refresh token becomes invalid and a new one is issued.

You mentioned the token request used “grant_type=refresh_token” instead of “authorization_code” after the /authorize call. This is incorrect - the initial token request after authorization should use the authorization_code grant type. The refresh_token grant type is only used later to refresh an expired access token.

Thanks for your response. Usually for us “grant_type=refresh_token” is later on.
But any idea when such case happens?

This is unusual. Ideally after the /authorize call, the next step should use grant_type=authorization_code to exchange the authorization code for an access token and refresh token.

Possible reasons for this unusual behavior that I could think of:

  • The client application might be incorrectly configured to use refresh_token grant type immediately.

  • If the application is caching old tokens, it might mistakenly try to use a refresh token from a previous session.

Even if say the refresh token is expired, it should be handled to reauthenticate right? How’s that it gives bad request, that am un clear

When a refresh token expires, the server typically responds with:

  • HTTP status code: 400 Bad Request
  • Error message: {"error":"invalid_grant","error_description":"The refresh token is invalid or expired."}

This is normal behavior.

You can try doing this:

  1. Catch this specific error in your application
  2. Initiate reauthentication flow
  3. Redirect user to login page
  4. Obtain new authorization code
  5. Exchange for fresh access and refresh tokens

when I check, it doesn’t throw any such 400 error, but re authenticates.
I have reduced the token expiry time and closed the browser to check it.
So, my goal is to find out how to replicate it.

could you please specify what are you trying to replicate in this scenario?

Am trying to replicate the error message below , once i try login into an app

  • Error message: {"error":"invalid_grant","error_description":"The refresh token is invalid or expired."}

This will help me understand when it happens and then probably i can fix it. Without knowing the root cause i wont be able to apply proper fix

Is it possible, that we face this issue because of “multiple auth flows executing concurrently” ? Since i have log of this exception

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.