Hello GitLab,
I am currently using the GitLabs OAuth flows to obtain an access token and refresh tokens to perform various GIT operations by using the Gitlab’s REST APIs. I am aware that the Gitlab access tokens expire every 2 hours, but one thing that I have observed is that after I try to perform the token refresh flow to obtain a new access and refresh token pairs from Gitlab, it seems that the refresh token no longer works and throws a invalid_grant error.
Can anyone tell me if there is a limit or certain fixed duration for which the refresh token can be valid and be used to obtain a new access token?
Can anyone point me to any resources specifying this expiration time for the refresh tokens for Gitlab?
3 Likes
I know that’s few years old, but any conclusions on this one? 
1 Like
Hi @nadav.yeheskel.velo,
Yeah so I was able to find a solution to this almost at the same time as I posted this question. The refresh tokens do not expire but I was able to find the solution for the original reason behind asking this question (why are my refresh token calls failing after some time?).
So at the time I observed that for multiple OAuth flows, GitLab was sending me the same “refresh tokens” for all of the OAuths done by a particular user. This means that for all access tokens a1, a2, a3 I was getting the same r1 and this is where the flow went wrong. So I had implemented a policy that automatically refreshed an expired access token whenever an API call to GitLab was made. This meant that a1 was successfully refreshed but after refreshing GitLab also issued a new refresh token r2 and invalidated the original refresh token r1. Now because the r1 was also linked with other tokens a2, a3 … so on, the refresh flows for all those tokens will fail terminally because the refresh token linked to those access tokens is already used and invalidated.
I am not sure if they have changed this behaviour now. Hope this helps!
Thanks! That helps a lot
Much appreciated!
1 Like