Problems with refreshing of OAuth tokens

Summary

When I try to referesh a token, I allways get an “api.oauth.get_access_token.refresh_token.app_error” error with 404-http code.

Steps to reproduce

• Request a Token -> acces & refresh tokens a created an returned
• with those tokens initialize a refresh-grant -> leads to an error
• MM Version: 3.9.0
• I access OAuth with https://github.com/lelylan/simple-oauth2

Expected behavior

• a new pair of tokens is returned

Observed behavior

• I allways get
  {
  “name”: “Error”,
  “status”: 404,
  “message”: “Not Found”,
  “context”: {
  “id”: “api.oauth.get_access_token.refresh_token.app_error”,
  “message”: “invalid_grant: Invalid refresh token”,
  “detailed_error”: “”,
  “request_id”: /…/,
  “status_code”: 404
  }
  } as the anwer
• after mattermost code-analysis I coud find out, that the refresh_token is not saved in the DB (OAuthAccessData-Table), but the acces_token from this pair is stored in the “token”-column

Hi @wojtus,

Thanks for your feedback,

On our instance, Zapier is using the refresh token and we also have unit tests testing the refresh token so what you’re reporting might be a bug.

I’ve created this ticket to investigate.

@wojtus have you tried the following

make a POST request to http(s)://<your-mattermost-instance-url>/oauth/access_token?grant_type=refresh_token&client_id=<your-client-id>&client_secret=<your-client-secret>&refresh_token=<the-refresh-token-provided-with-the-access-token>