Hello everyone, Iam currently using OAuth to obtain the access token of the user and the refresh token as well. The refresh token seems to be working fine for 1-2 days every time to refresh the access token and then obtain the new refresh token. But the latest refresh token doesn’t seem to work when trying to refresh the access token after 4-5 days. The refresh token call fails with an error called invalid_grant with the error message stating
The provided authorisation grant is invalid, expired, revoked, does not match the redirection URI used in the authorisation request, or was issued to another client.
Is there any window or limit for the refresh token to be used to obtain the new access and refresh tokens for Gitlab?
If there is any documentation regarding such validation windows for the access tokens and the refresh tokens can you share it here?
To anybody in the future stumbling on this question and wondering why the refresh calls are still failing here is the RCA that I found around the same time that I posted this question. Not sure if the behavior is still the same but might be worth a read.
Yeah so I was able to find a solution to this almost at the same time as I posted this question. The refresh tokens do not expire but I was able to find the solution for the original reason behind asking this question (why are my refresh token calls failing after some time?).
So at the time I observed that for multiple OAuth flows, GitLab was sending me the same “refresh tokens” for all of the OAuths done by a particular user. This means that for all access tokens a1, a2, a3 I was getting the same r1 and this is where the flow went wrong. So I had implemented a policy that automatically refreshed an expired access token whenever an API call to GitLab was made. This meant that a1 was successfully refreshed but after refreshing GitLab also issued a new refresh token r2 and invalidated the original refresh token r1. Now because the r1 was also linked with other tokens a2, a3 … so on, the refresh flows for all those tokens will fail terminally because the refresh token linked to those access tokens is already used and invalidated.
Hope this helps!