403 Forbidden Error when renewing token

I am facing 403 Forbidden error when I try to renew token. This error appears randomly and most of the time token gets renewed properly but sometimes I face this error. All my configuration including inactivity expiry and absolute expiry are set properly.

This is what my request looks like

        const formData = {
            grant_type: 'refresh_token',
            client_id,
            refresh_token: userSession?.refreshToken,
            client_secret
        };

        const formBody = Object.entries(formData)
            .map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value as any)}`)
            .join('&');

        const tokenResponse = await fetch(`https://${config.AUTH0_DOMAIN}/oauth/token`, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
            },
            body: formBody,
        });```



And this is the response I get when it results in error

(url=https://dev-cdebase.auth0.com/oauth/token, status=403, statusText=Forbidden, ok=false, bodyUsed=true, size=0, timeout=0, _abort=false, _bytes=81)

--
headers: {
  "_headers": {
    "date": [
      "Wed, 26 Oct 2022 22:14:40 GMT"
    ],
    "content-type": [
      "application/json"
    ],
    "transfer-encoding": [
      "chunked"
    ],
    "connection": [
      "close"
    ],
    "cf-ray": [
      "76068bd50889b045-ATL"
    ],
    "cache-control": [
      "private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform"
    ],
    "set-cookie": [
      "did=s%3Av0%3A95e67440-557b-11ed-bc3e-0dcfdb6ab38c.Mq47px2BL3noMvEstS94C%2FOfBl2B2WiOkCZ9qIdzKNc; Max-Age=31557600; Path=/; Expires=Fri, 27 Oct 2023 04:14:40 GMT; HttpOnly; Secure; SameSite=None",
      "did_compat=s%3Av0%3A95e67440-557b-11ed-bc3e-0dcfdb6ab38c.Mq47px2BL3noMvEstS94C%2FOfBl2B2WiOkCZ9qIdzKNc; Max-Age=31557600; Path=/; Expires=Fri, 27 Oct 2023 04:14:40 GMT; HttpOnly; Secure"
    ],
    "strict-transport-security": [
      "max-age=31536000"
    ],
    "vary": [
      "Accept-Encoding, Origin"
    ],
    "cf-cache-status": [
      "DYNAMIC"
    ],
    "ot-baggage-auth0-request-id": [
      "76068bd50889b045"
    ],
    "ot-tracer-sampled": [
      "true"
    ],
    "ot-tracer-spanid": [
      "4349817c1649d715"
    ],
    "ot-tracer-traceid": [
      "228e3efc230c5bcb"
    ],
    "traceparent": [
      "00-0000000000000000228e3efc230c5bcb-4349817c1649d715-01"
    ],
    "tracestate": [
      "auth0-request-id=76068bd50889b045,auth0=true"
    ],
    "x-auth0-requestid": [
      "bdfa963110f29b286003"
    ],
    "x-content-type-options": [
      "nosniff"
    ],
    "x-ratelimit-limit": [
      "30"
    ],
    "x-ratelimit-remaining": [
      "29"
    ],
    "x-ratelimit-reset": [
      "1666822481"
    ],
    "server": [
      "cloudflare"
    ],
    "alt-svc": [
      "h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400"
    ]
  }
}
--

Hi @huzaifaali14,

Is it possible your refresh token is expired?

Hi @dan.woda it shouldn’t be. Its set to expire after almost 30 days.

I would recommend to check the Monitoring → Logs in your Auth0 dashboard. You can search for specific event types using the dropdown, or I think you can use type:fer* to find all Failed Exchange of Refresh token errors (see Log Event Type Codes).

The event type and description should provide more information to explain why you received an error. Based on what you’ve said, I would bet that the most likely scenario is that the refresh token was reused for some reason, e.g. because it is being reused across tabs or page views somehow.

1 Like

Thanks for the help @eterobby!

We still don’t know why and how the refresh token getting revoked. Giving bad experience to user as they need to login more often.

{
  "date": "2022-10-31T18:53:29.024Z",
  "type": "fertft",
  "description": "Unknown or invalid refresh token.",
  "connection_id": "",
  "client_id": "z75gKEQvfCmXiZE6vz3W2JRulfiAfh0L",
  "client_name": "xxxxxx",
  "ip": "35.227.66.34",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "clockbook.us.auth0.com",
  "user_id": "",
  "user_name": "",
  "log_id": "90020221031185332473273136468875951073554597710189822002",
  "_id": "90020221031185332473273136468875951073554597710189822002",
  "isMobile": false,
  "id": "90020221031185332473273136468875951073554597710189822002"
}

hey @eterobby. I receive the below error always when this happen. And also I didn’t really get your point related to token being reused can you please elaborate? I want to add that I am having the same result whether with refresh token rotation on or off (reuse interval set to 1200 sec for testing). Seems to me the issue with Inactivity expiration( which is set correctly right now ) because I observed that If I leave the application for 10 12 hours it will throw the below error while renewing token. My Id token expiry is set to 2hrs which was done for testing this thing. It does renew token couple of time but eventually throws the 403 error.

The Unknown or invalid refresh token error message indicates that Auth0 is failing to recognize the refresh token for some reason, so either a valid token is not being transmitted somehow (in these circumstances, maybe you’re somehow sending garbage, or it’s missing or truncated or padded with extra characters or quotes) or a valid token is being transmitted but Auth0 is refused to recognize it (because it expired or was revoked).

It’s unclear to me from the context where this token is coming from, although the Other 0.0.0 value for user agent suggests that you’re making this call from the server-side. The fact that you’re using userSession?.refreshToken suggests to me that userSession could be null/undefined in some circumstances, which would pass "undefined" as the token value and definitely lead to this type of error. I would highly recommend that you restructure this logic to check for a valid userSession and non-empty refreshToken and to throw your own error immediately rather than fruitlessly calling Auth0 with a missing token.

If you find that this error persists even after you are certain that the refresh token is non-empty (and presumably valid), then the only other thing that comes to mind is that somehow your refresh tokens are getting revoked, either through user logout or possibly you’re hitting the 200 maximum number of refresh tokens per user.

And also I didn’t really get your point related to token being reused can you please elaborate? I want to add that I am having the same result whether with refresh token rotation on or off

I was specifically referring to refresh token rotation errors and that would have manifest with a different error and type (ferrt), so apparently that’s not your issue.

Hey @eterobby. The issue was actually in our code itself. So after renewing token we were updating information related to user session which in result was not storing the correct information and causing the failure on subsequent renew. I actually overlooked that issue. Now it’s working fine. Thank you very much for all the support and suggestions.

1 Like

Thanks for following up @huzaifaali14!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.