oAuth 2.0 invalid grant on refresh tokens

1151 1
Showing results for 
Search instead for 
Did you mean: 
4 - Data Explorer
4 - Data Explorer

Not sure this is documented anywhere, but I did find out that there might be a bug in the oAuth 2.0 flow when retrieving a new access token using a technically valid refresh token that isn't the "newest" refresh token.

Steps to reproduce:
1. Go through oAuth flow and store the refresh token as refreshToken1.
2. Get new access token from refreshToken1. (this will work perfectly)
3. Go through oAuth flow again with either the same bases or different bases and receive new refreshToken2
4. Try to get a new access token from refreshToken1 (this will fail)
5. Try to get new access token from refreshToken2 (this will succeed)

So if we have a user that goes through the flow twice, giving different bases to different parts of the application, are we supposed to remove all instances of the previous refresh token? I believe most other instances of oAuth 2.0 flows will allow you to continue using the previous refresh tokens so this might be a bug. 

1 Reply 1
Airtable Employee
Airtable Employee

Refresh tokens are usable once only, in step (2) you received a second refresh token.

I would encourage you not to re-authorize for a new refresh token as this will cause you to bump into a 20 token per (user, integration) pair limit (documentation for this is incoming, but not live yet, apologies!)