OAuth2 token refresh fails after 90 days

Hi there - we’re facing an issue with OAuth token refresh calls failing after 90 days even after configuring rotating refresh tokens. We couldn’t find any relevant documentation which has details about this error. Any help/pointers would be appreciated. Thanks.

ResponseCode::400 ContentType::application/json invalid_grant ;The refresh token is invalid or expired. ;

Which Authorization Server are you using? Is it the Org Authorization Server (e.g., do you make requests to https://oktaDomain/oauth2/v1/authorize or https://oktaDomain/oauth2/v1/token)? If so, the maximum lifetime for refresh tokens issued by the Org Authorization Server is 90 days. After 90 days, the user will need to re-authenticate to get a new set of tokens, including a new refresh token that will last for 90 days.

While the refresh token’s opaque token will change upon rotation (aka, the string will be different), the new token will still be affected by this original 90 day max lifetime. Using refresh token rotation will not remove this max lifetime.

If you need a longer lived refresh token, you will need to use a Custom Authorization Server. For Custom Authorization Servers, you can set the max refresh token lifetime to be as high as 5 years.

1 Like

Hi @andrea - Thanks for your response. Yes we’re using the Org Authorization Server. We’ll evaluate custom auth server. Thanks again.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.