I faced issue of bad request for default/v1/token endpoint
and with error message as follows {"error":"invalid_grant","error_description":"The refresh token is invalid or expired."}
This happened after I logged in to an app after quite some time.
Something unusual I noticed is that after the /authorize call,
the call to default/v1/token had grant_type as refresh_token instead of authorization_code
Could this be the reason for bad request?
If yes when this would happen and how to correct it
The most likely cause is that you’re trying to use an old, already-used, or expired refresh token. Refresh tokens are typically single-use - once used to obtain a new access token, the old refresh token becomes invalid and a new one is issued.
You mentioned the token request used “grant_type=refresh_token” instead of “authorization_code” after the /authorize call. This is incorrect - the initial token request after authorization should use the authorization_code grant type. The refresh_token grant type is only used later to refresh an expired access token.
This is unusual. Ideally after the /authorize call, the next step should use grant_type=authorization_code to exchange the authorization code for an access token and refresh token.
Possible reasons for this unusual behavior that I could think of:
The client application might be incorrectly configured to use refresh_token grant type immediately.
If the application is caching old tokens, it might mistakenly try to use a refresh token from a previous session.
when I check, it doesn’t throw any such 400 error, but re authenticates.
I have reduced the token expiry time and closed the browser to check it.
So, my goal is to find out how to replicate it.