Refresh Token expired with no apparent reason

Problem Statement

A user couldn’t retrieve an Access Token with their Refresh Token. Refresh Token is expired before the lifetime or without expiration at all. Also, there is no Rotation or security breach associated.

Troubleshooting

  • Check the application RT configuration
  • Check the logs related to that user
  • Check the logs for failed exchanges and resource cleanups

Cause

The Refresh Token is reaching a maximum in our DB (currently: 200). After this accumulation, our server is erasing the older ones.

Solution

If you want to keep using older tokens, you must detect this error and retry. Or you can change your Refresh Token configuration. Using Rotation and lifetime values will work better and safer.