Rotating refresh token expires within 1 hour and getting "Unknown or invalid refresh token"

Hi Team,

We are using Atlassian Jira Service Management to create ticket using Rest API’s where we have OAuth 2.0 authentication mechanism.

We have created Application, client id, client secret using document:
https://developer.atlassian.com/cloud/confluence/oauth-2-3lo-apps/

This was working perfectly fine until we don’t have Rotating refresh token.
Issue started since Rotating refresh token feature is live.

Problem:-

  1. Using offline access, we receive both access token and refresh token.
  2. But when access token expires after some time, we exchange refresh token (that we received in step#1) to get access token (may be after 1hour)
  3. We receive “error_description”: “Unknown or invalid refresh token.”

Unable to generate OAUTH Access token from refresh token ,Refresh token keeps expiring.

{
“error”: “invalid_grant”,
“error_description”: “Unknown or invalid refresh token.”
}

Also we could see that the option to configure the rotating refresh tokens Inactivity expiry time, Absolute expiry time, Reuse interval or leeway are missing.

These are not present where we create the application. The links in those tables take us to auth0 documentation.

Is auth0 is used internally in Jira? If yes, how can we access auth0 to change the setting, if possible share URL for auth0 for our instance: https://sailpointbhushan.atlassian.net/

Thanks
Ajit Pawar

Hi Ajit,

For rotating refresh tokens:

  1. Using offline_access, a pair of access_token and refresh_token is returned, and let’s call them AT1 and RT1.
  2. When AT1 expires, RT1 can be used to exchange for a new pair - AT2 and RT2.
  3. And likewise, when AT2 expires, RT2 should be used to exchange for a new pair. If RT1 is used instead, an error of “unknown or invalid refresh token” will be returned.

If the refresh tokens have been rotated accordingly but the error was still returned, could you please DM me the client_id for further investigation?

Kind regards,
Grace

Thanks @GraceZheng for the response.
Provided our client_id in DM to you, could you please investigate.

Let me know if you need additional details.

Thanks
Ajit

Hi @GraceZheng ,

New client_id with we reproduced issue has been provided in DM.

Thanks
Ajit

Hi @AjitPawar,

Thanks for providing the new client_id.

The error was returned because the rotating refresh token was reused. As mentioned in the original reply, each refresh token should only be used once only and the newly retrieved refresh token should be used for the subsequent exchange. More details have been provided in DM.

Hope this helps :slight_smile:

Kind regards,
Grace

Hi @GraceZheng

I am facing same problem while consuming the api by multiple threads/applications,

I can see the in reuse interval of 10 minutes breach detection is disabled and both RT1 and RT2 are woking fine.
but the problem is when 5 threads using RT1 and gets 5 different tokens i.e. RT2.1, RT2.2, … RT2.5 because RT1 is still works as its a reuse interal

and after the reuse interval expire only the latest one between RT2.1, RT2.2, … RT2.5 will valid.

Is there any way to identify which is the latest and valid refresh token when multiple RT generated during reuse interval?

Hi @PrasadParab,

Reuse within leeway (i.e. “reuse interval of 10 minutes”) is designed to aid concurrent calls:

  • In the event of reuses within leeway, all valid RT2s (i.e. RT2.1, RT2.2, … RT2.5) will be able to be used to exchange for new token pairs and receive RT3s (i.e. RT3.1, RT3.2, … RT3.5).
  • An invalid token refresh request (e.g. reuse outside leeway, unknown/incorrect RT etc.) will revoke all existing tokens retrieved from the same chain as it’s deemed to be suspicious activity.

As such, identifying the latest RT will not be necessary. What I suspect could have happened in your described issue is that some of the RT1 exchanges happened outside leeway (after the reuse interval) and hence invalidated the entire token chain (i.e. all tokens generated from RT1).

Hope this helps :slight_smile:

Kind regards,
Grace

Hi @GraceZheng ,

The rotating refresh token is risky for production usage as if reuse detected, it will brake all the things.
Is Atlassian thinking of new introducing new grant_type such as password or client credentials which does not require user intervention.

Thanks
Ajit

@AjitPawar,

The client credentials grant flow is not applicable in cases where principal consent is required and we do not support the resource_owner grant flow, due to obvious security gaps: this flow will be deprecated in future versions of the OAuth2 specification.

RRT re-use does not aim to address synchronization problems in the client implementation and our re-use policy will continue to revoke chains of reused RRTs. It is advisable to dig into where these synchronization issues may appear in your client app and guard updating with some type of mutual exclusion. RRTs will also break in the event that you are sharing the refresh token amongst various processes or instances as well.

I too have the same issue i think. Please help. Refresh token expiry as 90 days but in reality, it is 1 hour which is same as access token.

same issue. after user auth the app, the first time refreshing the access token works, and the new refresh token is saved. but 1 hour later, not able to use the new refresh token to get the access token.

figure out. turn out we have to always use the latest refresh token. if the old refresh token is used, then the latest will become invalid. need to re auth.