Rotating refresh token expires within 1 hour and getting "Unknown or invalid refresh token"

Hi Team,

We are using Atlassian Jira Service Management to create ticket using Rest API’s where we have OAuth 2.0 authentication mechanism.

We have created Application, client id, client secret using document:
https://developer.atlassian.com/cloud/confluence/oauth-2-3lo-apps/

This was working perfectly fine until we don’t have Rotating refresh token.
Issue started since Rotating refresh token feature is live.

Problem:-

  1. Using offline access, we receive both access token and refresh token.
  2. But when access token expires after some time, we exchange refresh token (that we received in step#1) to get access token (may be after 1hour)
  3. We receive “error_description”: “Unknown or invalid refresh token.”

Unable to generate OAUTH Access token from refresh token ,Refresh token keeps expiring.

{
“error”: “invalid_grant”,
“error_description”: “Unknown or invalid refresh token.”
}

Also we could see that the option to configure the rotating refresh tokens Inactivity expiry time, Absolute expiry time, Reuse interval or leeway are missing.

These are not present where we create the application. The links in those tables take us to auth0 documentation.

Is auth0 is used internally in Jira? If yes, how can we access auth0 to change the setting, if possible share URL for auth0 for our instance: https://sailpointbhushan.atlassian.net/

Thanks
Ajit Pawar

Hi Ajit,

For rotating refresh tokens:

  1. Using offline_access, a pair of access_token and refresh_token is returned, and let’s call them AT1 and RT1.
  2. When AT1 expires, RT1 can be used to exchange for a new pair - AT2 and RT2.
  3. And likewise, when AT2 expires, RT2 should be used to exchange for a new pair. If RT1 is used instead, an error of “unknown or invalid refresh token” will be returned.

If the refresh tokens have been rotated accordingly but the error was still returned, could you please DM me the client_id for further investigation?

Kind regards,
Grace

Thanks @GraceZheng for the response.
Provided our client_id in DM to you, could you please investigate.

Let me know if you need additional details.

Thanks
Ajit

Hi @GraceZheng ,

New client_id with we reproduced issue has been provided in DM.

Thanks
Ajit

Hi @AjitPawar,

Thanks for providing the new client_id.

The error was returned because the rotating refresh token was reused. As mentioned in the original reply, each refresh token should only be used once only and the newly retrieved refresh token should be used for the subsequent exchange. More details have been provided in DM.

Hope this helps :slight_smile:

Kind regards,
Grace