Bad refresh token when refreshing an user-to-server token

Hi everyone,

We created a Github App and currently using it for server-to-server requests and user-to-server requests. We opted-in the Expiring token feature, but after 8 hours or so, when the access token is expired, it is impossible to refresh the token according to the documentation.

This is what we get from our POST to refresh our access token:

Error: bad_refresh_token
Description: The refresh token passed is incorrect or expired.

The documentation says that the refresh token should last 6 month, but we do think that this isn’t the case.

What can we do to fix this ?

Thanks a lot,

Alexis

1 Like

I have the same :man_shrugging:

turned it off in the app settings as it is a new beta feature

@fuegoio & @laszlocph –– thanks for reporting this. We’ve escalated this to our engineering team and will follow up here when we have an update from them; we don’t have a timeline for when this will be addressed. :bowing_man:

I am seeing the same thing … I can’t exchange refresh tokens for access tokens.

Does this mean this is a confirmed bug? Is it recommended that GitHub App developers move to non-expiring tokens?

:wave: @hatboysam: I reported this to our engineering team last week; they’re looking into it and the behavior is not a confirmed bug at this time. I’m awaiting their recommendation as a part of their investigation and will follow up here once I hear more.

:wave: Hello everyone! Francis here from the GitHub Support team. Our engineering deployed a new update so this issue should be resolved.

@fuegoio, @laszlocph, @hatboysam: I’m wondering if you all are still able to reproduce this error when refreshing an user-to-server token? :thought_balloon:

If so, sharing the full request-response pair of the executed request would help us investigate (please be sure to redact any sensitive information like authorization headers, credentials, and similar data). :bowing_man:

1 Like

@francisfuzz this is still happening, here’s what I got from my logs. It’s just the response, I’ll try to get the full request although hopefully you can look it up:

[1] >  Status code: 200
[1] >  Response headers {"date":"Sat, 29 Aug 2020 09:33:23 GMT","content-type":"application/x-www-form-urlencoded; charset=utf-8","transfer-encoding":"chunked","connection":"close","server":"GitHub.com","status":"200 OK","vary":"X-PJAX, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding","etag":"W/\"a5eb409e6abcc06043c22fc0c114a1cb\"","cache-control":"max-age=0, private, must-revalidate","strict-transport-security":"max-age=31536000; includeSubdomains; preload","x-frame-options":"deny","x-content-type-options":"nosniff","x-xss-protection":"1; mode=block","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","expect-ct":"max-age=2592000, report-uri=\"https://api.github.com/_private/browser/errors\"","content-security-policy":"default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js gist.github.com/socket-worker.js","x-github-request-id":"E503:DB62:514CD51:78C2253:5F4A20E3"}    
[1] >  Response data "error=bad_refresh_token&error_description=The+refresh+token+passed+is+incorrect+or+expired.&error_uri=https%3A%2F%2Fdocs.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-oauth-app-access-token-request-errors%2F%23bad-verification-code"

I think the piece you’re most interested in is:

"x-github-request-id":"E503:DB62:514CD51:78C2253:5F4A20E3"

Edit: the request looks like this:

[1] >  Request: HTTP post: "https://github.com/login/oauth/access_token?client_id=Iv1.3bfe017ea9365f15&client_secret=REDACTED&grant_type=refresh_token&refresh_token=REDACTED"
[1] >  Request Headers: undefined
[1] >  Request Body: undefined

I opted out of the “feature” so can’t say.

I just tried again and it seems to be working today … is it possible the fix wasn’t rolled out when I last tried?

@hatboysam - That’s interesting behavior to report! Now that it’s working, if anything changes in the next week, please share an updated X-GitHub-Request-Id key-value pair and I can forward that over to our engineers for further review. :+1:

1 Like