Bad refresh token when refreshing an user-to-server token #24745
-
Hi everyone, We created a Github App and currently using it for server-to-server requests and user-to-server requests. We opted-in the Expiring token feature, but after 8 hours or so, when the access token is expired, it is impossible to refresh the token according to the documentation. This is what we get from our
The documentation says that the refresh token should last 6 month, but we do think that this isn’t the case. What can we do to fix this ? Thanks a lot, Alexis |
Beta Was this translation helpful? Give feedback.
Replies: 24 comments
-
I have the same 🤷♂️ turned it off in the app settings as it is a new beta feature |
Beta Was this translation helpful? Give feedback.
-
@fuegoio & @laszlocph –– thanks for reporting this. We’ve escalated this to our engineering team and will follow up here when we have an update from them; we don’t have a timeline for when this will be addressed. 🙇♂️ |
Beta Was this translation helpful? Give feedback.
-
I am seeing the same thing … I can’t exchange refresh tokens for access tokens. |
Beta Was this translation helpful? Give feedback.
-
Does this mean this is a confirmed bug? Is it recommended that GitHub App developers move to non-expiring tokens? |
Beta Was this translation helpful? Give feedback.
-
👋 @hatboysam: I reported this to our engineering team last week; they’re looking into it and the behavior is not a confirmed bug at this time. I’m awaiting their recommendation as a part of their investigation and will follow up here once I hear more. |
Beta Was this translation helpful? Give feedback.
-
👋 Hello everyone! Francis here from the GitHub Support team. Our engineering deployed a new update so this issue should be resolved. @fuegoio, @laszlocph, @hatboysam: I’m wondering if you all are still able to reproduce this error when refreshing an user-to-server token? 💭 If so, sharing the full request-response pair of the executed request would help us investigate (please be sure to redact any sensitive information like authorization headers, credentials, and similar data). 🙇♂️ |
Beta Was this translation helpful? Give feedback.
-
@francisfuzz this is still happening, here’s what I got from my logs. It’s just the response, I’ll try to get the full request although hopefully you can look it up:
I think the piece you’re most interested in is:
Edit: the request looks like this:
|
Beta Was this translation helpful? Give feedback.
-
I opted out of the “feature” so can’t say. |
Beta Was this translation helpful? Give feedback.
-
I just tried again and it seems to be working today … is it possible the fix wasn’t rolled out when I last tried? |
Beta Was this translation helpful? Give feedback.
-
@hatboysam - That’s interesting behavior to report! Now that it’s working, if anything changes in the next week, please share an updated |
Beta Was this translation helpful? Give feedback.
-
Hi @francisfuzz, I had to opt out the feature to solve this issue. |
Beta Was this translation helpful? Give feedback.
-
@nlecoy - Thanks for sharing that with us – I’ve forwarded it over to our engineering team for investigation. There isn’t a timeline for when this will be resolved, and I’ll loop back here as soon as we hear more from them. |
Beta Was this translation helpful? Give feedback.
-
I’m also seeing this. After 8 hours the refresh token no longer works, with a bad_refresh_token error. I’ve checked using the refresh token to get a new access token within 8 hours and it works fine, creating new access tokens (which then work), again the refresh token expiry time is in 6 months so its surprising that it’s marked as invalid or expired. (It can’t be invalid as it works fine before 8 hours is up). Please let me know what I can do to help debug / diagnose, it’s pretty simple to reproduce. |
Beta Was this translation helpful? Give feedback.
-
👋 @nlecoy & @mikeparker – thanks again for sharing these details with us. One of our engineers triaged this and let us know they haven’t been able to reproduce this. However, they’re keen on receiving any additional information for them to investigate further. Specifically, which application(s) are you respectively using, and are you able to reliably reproduce this outcome? I can relay that over to the team, though I’d like to caution against sharing any private or sensitive information before sharing it on this thread – having step-by-steps that reliably reproduces the behavior would help them, especially |
Beta Was this translation helpful? Give feedback.
-
I can still see the problem exactly as @mikeparker described above. Refresh token works as expected within the expiration date, but not after that point. The problem with reproducing it is you have to wait for 8 hours. I will try to catch some more info tomorrow since I just refreshed my token successfully. |
Beta Was this translation helpful? Give feedback.
-
We are seeing the same issue - if we receive a access token and refresh token and then 30 minutes later try to refresh the access token we get the same issue. X-GitHub-Request-Id=C814:6EA7:1372561:155E5B2:609DCCEB Here is our code: |
Beta Was this translation helpful? Give feedback.
-
I was encoding the refreshtoken. Thats a no no. |
Beta Was this translation helpful? Give feedback.
-
Hello! I found this thread during a Google Search and I think it may be happening to me. I am doing a self-study of OAuth2 and have been using the Postman desktop client to OAuth myself to a few different sites so I can play around with their APIs. I’ve been able to authenticate with sites like Imgur and DeviantArt so far, but have been running into difficulties with GitHub. Like others in this thread, the issue is using my refresh_token to get an access_token. I’ve been trying for the last couple of hours, and have consistently gotten the bad_refresh_token respond from GitHub’s endpoint. I’ve highlighted-relevant parts of the request/response (and blurred out secrets): Also, if it helps GitHub engineers in their searching, the X-GitHub-Request-Id n the response is C092:1029:105A80:1F3352:60BFFE7D. Thanks! – Doug |
Beta Was this translation helpful? Give feedback.
-
I'm seeing this happen with an access token that has not expired but only after I update the github app installation. E.g.
|
Beta Was this translation helpful? Give feedback.
-
I'm still getting this error. Still getting the bad_refresh_token error, "The refresh token passed is incorrect or expired."
|
Beta Was this translation helpful? Give feedback.
-
I am here just to say this is indeed an issue still. @francisfuzz is there a timeline for this by the github team? IMO this issue is marked as "answered" however it's definitely not. |
Beta Was this translation helpful? Give feedback.
-
I'm facing this issue too. I can't believe it's been 3 years. 👎 |
Beta Was this translation helpful? Give feedback.
-
ran into the same issue |
Beta Was this translation helpful? Give feedback.
@fuegoio & @laszlocph –– thanks for reporting this. We’ve escalated this to our engineering team and will follow up here when we have an update from them; we don’t have a timeline for when this will be addressed. 🙇♂️