Expiry of refresh token - Jira Cloud oAuth2 3LO grants

Hi there,

What is the expiry time on the refresh tokens given with the “offline_access” scope on the Jira Cloud API? Is this documented anywhere that I have missed?

1 Like

Hello @delliot,

AFAIK, refresh tokens do not expire. I’ll ping the team to see what other details I can provide here (ex: revocation).

Cheers,
Ian

I have a similar followup question: I see that API calls to refresh access tokens sometimes get 403 Forbidden from calling POST https://auth.atlassian.com/oauth/token. Any idea what could cause the 403 errors? I didn’t manage to replicate this myself yet but see it happening in my production deployment from time to time.

The docs don’t really mention what expected responses are from this API.

Hi @tbinna - do you have these 403s logged? If so, can you file a bug and include as many details possible? (i.e. request timestamp, error response from API, client_id) To be clear, don’t post those here, but rather, in the bug ticket. :slight_smile:

I’m also unable to reproduce… but if you’ve hit a bona fide 403, we should dig in.

@nmansilla I have them logged but I need to see if I can collect a few more details. Main thing I am missing is the exact error response body from the API (if there is actually one). I will try to get that logged as well and then file an issue - or comment back here if I found the issue is with my own code.

Hey @nmansilla, I just created DEVHELP-2517 with my findings regarding my previous question.

@tbinna - I’ve been chatting with the team members about this. So, while not awesome, when an intermittent 500 is encountered the current advice is to retry the request. I’ll inquire if this something we can expect to improve when 3LO is out of developer preview / GA.

Re: the 403s, still digging in.

Thanks @nmansilla, shouldn’t be too difficult to just retry once if we see 500 responses from the API. I don’t think it makes sense to retry several times though (e.g. with delay) because it’s not like a rate limiting error or anything like that.

Looking forward to your findings on the 403s.

Hi @nmansilla - bumping this again. We still see 403 errors when refreshing access tokens on a fairly regular basis. The 403 error response payload from https://auth.atlassian.com/oauth/token looks something like this

{
  "error":"invalid_grant",
  "error_description":"Unknown or invalid refresh token."
}

I tried to google a bit on how to understand this message but there is not much coming up. Seems this might be the direct error response from Auth0 (which I believe Atlassian’s OAuth2 implementation is based on?). This thread suggest that this is because the user revoked the token but that’s not very clear from the responses - and I can’t find any other documentation to support this. If this really means someone has revoked the token we should redirect the user to a re-auth flow.

Do you have any more details on this?

We’re seeing the same errors. Has anyone been able to figure out what the root cause of this is? I’ve not been able to access @tbinna DEVHELP-2517 ticket.

@hugh unfortunately, this has not been resolved yet. According to @shraj the respective Atlassian team is looking into this but I don’t think there is any public issue that we could follow.

Hi @hugh/ @tbinna

Normally that error message would indicate that the refresh token is invalid, for example the user has revoked the access for the app or somebody has tampered with the token (unlikely). In those cases sending the user back through the authorization flow again is the right thing to do. We should maybe clarify this in the documentation

If you suspect the user did not revoke the access and the error shouldn’t be happening, it’d help us to investigate if you could provide us the oauth client id for your app and timestamps on a DEVHELP ticket.

Hi @ekaukonen I’ve created the ticket DEVHELP-2517. Which contains the request. I’ve updated the ticket with client_id and timestamps.

I’m requesting a token against my dev account which lasts about an hour before I need to re-request the token at which point I get the error described above. I’ve not revoked or removed access to my app. I also get the error if I try and request a token immediately after the callback and with a successful API call to https://api.atlassian.com/oauth/token/accessible-resources.

Thanks