Help

oAuth 2.0 invalid grant on refresh tokens

1417 1
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
chrisalvares
4 - Data Explorer
4 - Data Explorer
See Solution in Thread

‎Dec 30, 2022 10:01 AM

Not sure this is documented anywhere, but I did find out that there might be a bug in the oAuth 2.0 flow when retrieving a new access token using a technically valid refresh token that isn't the "newest" refresh token.

Steps to reproduce:
1. Go through oAuth flow and store the refresh token as refreshToken1.
2. Get new access token from refreshToken1. (this will work perfectly)
3. Go through oAuth flow again with either the same bases or different bases and receive new refreshToken2
4. Try to get a new access token from refreshToken1 (this will fail)
5. Try to get new access token from refreshToken2 (this will succeed)

So if we have a user that goes through the flow twice, giving different bases to different parts of the application, are we supposed to remove all instances of the previous refresh token? I believe most other instances of oAuth 2.0 flows will allow you to continue using the previous refresh tokens so this might be a bug. 

0 Kudos
Reply
1 Reply 1
Will_Powelson
Airtable Employee
Airtable Employee
See Solution in Thread

‎Jan 19, 2023 09:42 AM

Refresh tokens are usable once only, in step (2) you received a second refresh token.

I would encourage you not to re-authorize for a new refresh token as this will cause you to bump into a 20 token per (user, integration) pair limit (documentation for this is incoming, but not live yet, apologies!)

0 Kudos
Reply
Copyright © 2024 Khoros, LLC