Unknown or invalid refresh token error

Hello,

Occasionally, I am getting this error:
Status Code: 403
{
“error”: “invalid_grant”,
“error_description”: “Unknown or invalid refresh token.”
}

I am using the Angular SPA flow. I have enabled refresh tokens and refresh token rotation.

The error seem to appear when the server is called. The API that I have defined for the server has the offline_access enabled.

It is probably a misconfiguration, but I can’t figure it out.

The issue might have been cause by the fact that on my angular spa application configuration I had Refresh Token Rotation Reuse Interval set to 0.

We have the same issue, were you able to find out the solution? We have Refresh Token Rotation Reuse Interval set to 1.

For us, this was the issue. We had it set to 432000s.

We still have the issue even when we increase the Reuse Interval time to longer duration.

Even if it works, I am wondering if it is recommended. Because, we are delaying the automatic reuse detection and as per the example explained in " Refresh Token Automatic Reuse Detection" section of the blog: What Are Refresh Tokens and How to Use Them Securely, any malicious user can still use the refresh token to get access tokens even after its first use. Please let me know if my understanding is not correct.

Continuing the discussion from Unknown or invalid refresh token error:

It seems that this error appear when the refresh token has expired or has been invalidated.
To fix this issue, I use the following code in my app.component

this._auth.error$.pipe(
      takeUntil(this._destroy$),
      filter((e) => e instanceof GenericError && (e.error === 'login_required' || e.error === 'invalid_grant')),
      mergeMap(() => this._auth.logout({
          logoutParams: {
            returnTo: '<logoutUrl>'
          }
        }))
    ).subscribe();
1 Like