I have the same 🤷‍♂️

turned it off in the app settings as it is a new beta feature

I am seeing the same thing … I can’t exchange refresh tokens for access tokens.

Does this mean this is a confirmed bug? Is it recommended that GitHub App developers move to non-expiring tokens?

👋 @hatboysam: I reported this to our engineering team last week; they’re looking into it and the behavior is not a confirmed bug at this time. I’m awaiting their recommendation as a part of their investigation and will follow up here once I hear more.

👋 Hello everyone! Francis here from the GitHub Support team. Our engineering deployed a new update so this issue should be resolved.

@fuegoio, @laszlocph, @hatboysam: I’m wondering if you all are still able to reproduce this error when refreshing an user-to-server token? 💭

If so, sharing the full request-response pair of the executed request would help us investigate (please be sure to redact any sensitive information like authorization headers, credentials, and similar data). 🙇‍♂️

@francisfuzz this is still happening, here’s what I got from my logs. It’s just the response, I’ll try to get the full request although hopefully you can look it up:

[1] >  Status code: 200
[1] >  Response headers {"date":"Sat, 29 Aug 2020 09:33:23 GMT","content-type":"application/x-www-form-urlencoded; charset=utf-8","transfer-encoding":"chunked","connection":"close","server":"GitHub.com","status":"200 OK","vary":"X-PJAX, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding","etag":"W/\"a5eb409e6abcc06043c22fc0c114a1cb\"","cache-control":"max-age=0, private, must-revalidate","strict-transport-security":"max-age=31536000; includeSubdomains; preload","x-frame-options":"deny","x-content-type-options":"nosniff","x-xss-protection":"1; mode=block","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","expect-ct":"max-age=2592000, report-uri=\"https://api.github.com/_private/browser/errors\"","content-security-policy":"default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js gist.github.com/socket-worker.js","x-github-request-id":"E503:DB62:514CD51:78C2253:5F4A20E3"}    
[1] >  Response data "error=bad_refresh_token&error_description=The+refresh+token+passed+is+incorrect+or+expired.&error_uri=https%3A%2F%2Fdocs.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-oauth-app-access-token-request-errors%2F%23bad-verification-code"

I think the piece you’re most interested in is:

"x-github-request-id":"E503:DB62:514CD51:78C2253:5F4A20E3"

Edit: the request looks like this:

[1] >  Request: HTTP post: "https://github.com/login/oauth/access_token?client_id=Iv1.3bfe017ea9365f15&client_secret=REDACTED&grant_type=refresh_token&refresh_token=REDACTED"
[1] >  Request Headers: undefined
[1] >  Request Body: undefined

I opted out of the “feature” so can’t say.

I just tried again and it seems to be working today … is it possible the fix wasn’t rolled out when I last tried?

@hatboysam - That’s interesting behavior to report! Now that it’s working, if anything changes in the next week, please share an updated X-GitHub-Request-Id key-value pair and I can forward that over to our engineers for further review. 👍

Hi @francisfuzz,
Just had the same issue when trying to refresh a user-to-server token. Here is my X-GitHub-Request-Id: D9E0:2FCD:478762B:49A3AE1:60617F28.

I had to opt out the feature to solve this issue.

@nlecoy - Thanks for sharing that with us – I’ve forwarded it over to our engineering team for investigation. There isn’t a timeline for when this will be resolved, and I’ll loop back here as soon as we hear more from them.

I’m also seeing this. After 8 hours the refresh token no longer works, with a bad_refresh_token error. I’ve checked using the refresh token to get a new access token within 8 hours and it works fine, creating new access tokens (which then work), again the refresh token expiry time is in 6 months so its surprising that it’s marked as invalid or expired. (It can’t be invalid as it works fine before 8 hours is up).

Please let me know what I can do to help debug / diagnose, it’s pretty simple to reproduce.

👋 @nlecoy & @mikeparker – thanks again for sharing these details with us. One of our engineers triaged this and let us know they haven’t been able to reproduce this. However, they’re keen on receiving any additional information for them to investigate further. Specifically, which application(s) are you respectively using, and are you able to reliably reproduce this outcome? I can relay that over to the team, though I’d like to caution against sharing any private or sensitive information before sharing it on this thread – having step-by-steps that reliably reproduces the behavior would help them, especially X-GitHub-Request-Id values for each respective request that returns this error.

I can still see the problem exactly as @mikeparker described above. Refresh token works as expected within the expiration date, but not after that point. The problem with reproducing it is you have to wait for 8 hours. I will try to catch some more info tomorrow since I just refreshed my token successfully.

We are seeing the same issue - if we receive a access token and refresh token and then 30 minutes later try to refresh the access token we get the same issue.

X-GitHub-Request-Id=C814:6EA7:1372561:155E5B2:609DCCEB

Here is our code:

image817×235 22.7 KB

I was encoding the refreshtoken. Thats a no no.

Hello! I found this thread during a Google Search and I think it may be happening to me.

I am doing a self-study of OAuth2 and have been using the Postman desktop client to OAuth myself to a few different sites so I can play around with their APIs. I’ve been able to authenticate with sites like Imgur and DeviantArt so far, but have been running into difficulties with GitHub.

Like others in this thread, the issue is using my refresh_token to get an access_token. I’ve been trying for the last couple of hours, and have consistently gotten the bad_refresh_token respond from GitHub’s endpoint.

I’ve highlighted-relevant parts of the request/response (and blurred out secrets):

CleanShot 2021-06-08 at 19.34.52@2x2434×1782 561 KB

Also, if it helps GitHub engineers in their searching, the X-GitHub-Request-Id n the response is C092:1029:105A80:1F3352:60BFFE7D.

Thanks!

– Doug

I'm seeing this happen with an access token that has not expired but only after I update the github app installation.

E.g.

1. Authenticate and store the token + refresh token as part of the code= oauth flow
2. Install the github app and redirect back to my app install setup callback (note: I have oauth during app install disabled)
3. User is redirected back to my app and all is well
4. User updates the github app installation to add/remove repos from the app and is redirected back to my install setup callback
5. In the app install setup callback I use the user token from step 1 to check which installations the user has access to. Octokit determines that the token is not valid so it uses the refresh token from step 1 to get a new one
6. Octokit fails to get the user's installations with the error bad_refresh_token

x-github-request-id: FF49:7A0D:D29389:DA15F0:63BCA7B5

I'm still getting this error.
Not using any SDK, just the Golang HTTP client.
Following exactly what it says to do in the docs here https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens.

Still getting the bad_refresh_token error, "The refresh token passed is incorrect or expired."

CLIENT_SECRET=xxxxxxxxxx...
CLIENT_ID=Iv1.xxxxxxxxxx...
REFRESH_TOKEN=ghr_xxxxxxxxxx...
URL="https://github.com/login/oauth/access_token?grant_type=refresh_token&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&refresh_token=${REFRESH_TOKEN}"
curl -X POST -H "Accept: application/json" $URL

I am here just to say this is indeed an issue still. @francisfuzz is there a timeline for this by the github team?

IMO this issue is marked as "answered" however it's definitely not.

I'm facing this issue too. I can't believe it's been 3 years. 👎

ran into the same issue