Announcement Announcement Module
No announcement yet.
Access token refresh and HTTP error code handling 400 vs 401 Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access token refresh and HTTP error code handling 400 vs 401

    Hi all,

    We noticed that when attempting to refresh an access token with an expired refresh token using /authorize, HTTP Status Code 400 is being returned. This is from the following code:
    ExpiringOAuth2RefreshToken refreshToken = readRefreshToken(refreshTokenValue);
    		if (refreshToken == null) {
    			throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
    I wanted to understand why the software is not returning a 401 and the rationale for returning a 400. I'm trying to figure out if it's worth changing the behaviour to return 401.

    We are still using M4.

    Would really appreciate your thoughts on this.


  • #2
    The spec is clear on this as far as I can tell - errors from the refresh grant can only be treated as invalid_grant and that doesn't give you the option for a 401. If your reading is different I would be more than happy to agree, but please upgrade to RC3 before proposing any changes.


    • #3
      Hey thanks very much. Section 5.2 of the spec does state invalid_grant includes refresh_token has expired so the 400 behaviour is correct. Thanks for pointing me in the right direction.