Get the unexpected response code 400 when refresh token is expired (in oauth2/token endpoint)

[kobayashilin]

Hi,

We found that an unexpected response code when refresh token is expired.

Based on this api document, there are 200, 401, 500 response code for this endpoint POST /oauth2/token
https://www.ory.sh/hydra/docs/reference/api/#the-oauth-20-token-endpoint

However, we got the 400 Bad Request because the fosite transform it.
https://github.com/ory/fosite/blob/master/handler/oauth2/flow_refresh.go#L73

Is it the expected result? Or maybe we misunderstand something, thanks.

[aeneasr]

Thank you for contributing to this repository by creating an issue!

Unfortunately, your issue lacks vital information, such as log files, the error message, the software version, your configuration or other pieces of the puzzle.

Please also ensure that your issue is appropriately formatted. If you do not know how to write markdown, you can find help here.

Helping you with your problem is only possible if you share this information, and it will save a lot of time of back and forth on your as well as our end!

For this reason, this repository uses issue templates which you can select when pressing "New issue". Please use one of those issue templates to fill in the required information. You can either create a new issue for this purpose and close this one, or leave a comment.

Do not edit the original post as we will not be notified when you do so.

If you do not provide the requested information, this issue will be closed.

[kobayashilin]

Describe the bug

The unexpected response code 400 when refresh token is expired (in oauth2/token endpoint)

Reproducing the bug

Steps to reproduce the behavior:

0. Set ttl_refresh_token: 1m
1. Run below command :
   serve all --dangerous-force-http
2. Finish the authentication flow with offline_access and get the refresh_token
3. Waiting for the refresh_token expired
4. POST /oauth2/token with refresh_token

curl --location --request POST 'http://127.0.0.1:4444/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_id=pkce-1-auth-code-client' \
--data-urlencode 'redirect_uri=http://127.0.0.1:4200/assets/signin-callback.html|http://127.0.0.1:4200/assets/silent-callback.html' \
--data-urlencode 'refresh_token=uRjmI5Imce-MDeNsssHBITxcgiOinJ8AEqDcP1DA5_w.VCvtbPEN0tWtFr3plKDWqPmkveGX_Lf8d3UbtAt38fM'

Server logs

{
  "http_request": {
    "headers": {
      "accept": "*/*",
      "accept-encoding": "gzip, deflate, br",
      "cache-control": "no-cache",
      "user-agent": "PostmanRuntime/7.26.8"
    },
    "host": "127.0.0.1:4444",
    "method": "POST",
    "path": "/oauth2/token",
    "query": null,
    "remote": "127.0.0.1:50613",
    "scheme": "http"
  },
  "level": "info",
  "msg": "started handling request",
  "time": "2020-12-21T17:45:29+08:00"
}
{
  "audience": "application",
  "error": {
    "message": "invalid_request",
    "reason": "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
    "status": "Bad Request",
    "status_code": 400
  },
  "http_request": {
    "headers": {
      "accept": "*/*",
      "accept-encoding": "gzip, deflate, br",
      "cache-control": "no-cache",
      "user-agent": "PostmanRuntime/7.26.8"
    },
    "host": "127.0.0.1:4444",
    "method": "POST",
    "path": "/oauth2/token",
    "query": null,
    "remote": "127.0.0.1:50613",
    "scheme": "http"
  },
  "level": "info",
  "msg": "access denied",
  "service_name": "",
  "service_version": "",
  "time": "2020-12-21T17:45:29+08:00"
}
{
  "http_request": {
    "headers": {
      "accept": "*/*",
      "accept-encoding": "gzip, deflate, br",
      "cache-control": "no-cache",
      "user-agent": "PostmanRuntime/7.26.8"
    },
    "host": "127.0.0.1:4444",
    "method": "POST",
    "path": "/oauth2/token",
    "query": null,
    "remote": "127.0.0.1:50613",
    "scheme": "http"
  },
  "http_response": {
    "status": 400,
    "text_status": "Bad Request",
    "took": 11920534
  },
  "level": "info",
  "msg": "completed handling request",
  "time": "2020-12-21T17:45:29+08:00"
}

Server configuration

ttl:
    refresh_token: 1m

Expected behavior

401 Response. But we got the 400 Bad request

Environment

• Hydra Version: v1.8.5
• Environment: Mac Unix