OAuth authorization flow - refreshing access token

nik.vogrinec · January 30, 2025, 1:38pm

Hi, the documentation regarding the refreshing access token mentions that the access token refresh endpoint (https://id.twitch.tv/oauth2/token) returns a 401 when an invalid refresh token (revoked) is provided.

A refresh request can fail with HTTP status code 401 Unauthorized if the refresh token is no longer valid. If the refresh fails, the application should re-prompt the end user for consent using the Authorization Code Grant flow or OIDC Authorization Code Grant flow.

When I tested the flow, this doesn’t seem to be true, as I receive a 400 status code with the message: “Invalid refresh token”, when trying to refresh access token after manually revoking it.

This error is very generic and can potentially lead to issues in my app (prompting users to go through the OAuth flow again even thought their token is valid).

I’m unsure if I’m doing something wrong or is the documentation out of date.

BarryCarlyon · January 30, 2025, 1:44pm

you have attempted a refresh becuase the user access token is invalid.

The refresh flow has failed to return a new access token (and possible refresh token).

So the user needs to reauthenticate.

I’m not sure what the (mechanical) problem is

You tried to refresh
The refresh failed
You have no tokens for the user
The user needs to reauthenticate

Irrespecitve of the 4xx status code returned here.
Since any 4xx is gonna be dead token stuff here

When a token expires, it becomes invalid. If you call a Twitch API with an invalid token, the request returns 401 Unauthorized.

The general Helix API returns 401 as you have an invalid token

The Refresh Authentication API uses 400 as per the example

nik.vogrinec · January 30, 2025, 1:48pm

The issue is that the 400 status code is very generic. I assume multiple issues can throw the 400 status code (e.g. i forget to pass a client secret, or the client id, or something else).

I don’t have a good way of knowing that the refresh token is invalid.

I guess I could look at the message + status code & hope that nothing else in the API throws the same combination.

And of course the documentation seems to be wrong, so that might need to be updated.

BarryCarlyon · January 30, 2025, 1:52pm

If it’s due to missing client secret/client ID then likely your entire application has a fault, and refreshing users tokens is the least of your concerns in my opinion in this scenario

nik.vogrinec · January 30, 2025, 1:57pm

Yes, missing client id or client secret won’t (realistically) ever happen, but I provided it as an example of how the status code 400 can be very generic. I can’t know which other cases return this status code without a detailed API documentation.

In other API’s, a 403 or 401 status code is usually returned when the refresh token is no longer valid, or a specific invalid_grant error code. This is a more unambigious response. Twitch API seems to be an exception.

Thank you for replying, I’ll try to make it work (and make it as safe as possible).

system · March 1, 2025, 1:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.