My Oracle Support Banner

OAuth Grant Type Refresh Token Not Working (Doc ID 2436140.1)

Last updated on AUGUST 16, 2018

Applies to:

Oracle Access Manager - Version 12.2.1.3.180622 and later
Information in this document applies to any platform.

Symptoms

I created an OAuth Identity Domain, Application and Client.
Following this document: https://docs.oracle.com/middleware/12213/oam/AIAAG/runtime-rest-apis-oauth-12c.htm#AIAAG-GUID-9403C910-556B-486D-BC36-1F997FA1858C,
I tried to obtain a new access token using the REFRESH_TOKEN grant but I always get the response:

{"error":"invalid_grant","error_description":"Invalid Request"}

More specific, the steps fallowed were:

Oauth2 - Authentication
1. http://my-test-domain:7777/oauth2/rest/authorize?response_type=code&client_id=c54966888ab24ea4a9f3057e81656092&domain=mydomain&scope=UserProfile.me&redirect_uri=https%3A%2F%2Fwww.domain.ro%2Ffix%2Fcustomer%2Faccount%2FloginAuthorize%2F

Yk00cUVUb0IxUEVvVmU2ZWphZkdSZz09fkhvWG9tTnJ4MFo1YStwWFJlZTR1VEF2MDNybVhleVUrK2hDRlVaS2puNHUxUXVBVkkvT1Z5MVM4Y08rSFFsenhRVktJaEExZS9iTURMQm1wYllyemtzYUtxVVJ4UUNJa0ZaZXlwOEN6N1l6V1B1d3lIbGh6YnIxMUQ3MHU0TklVQ3dzN2MzbE9wRGwyUzVpbkZMZnJ5NGNUZnpqa1dvT3Q3dXdDT3lXT2JIN0pPWk9mZ3ZpNmlwcFZyYkNDM1J4dnRxNDdHa0pRZklnNkpzeFAvMEFFT3BTT0gvRUtiQTluM1F1SmxJcFZNOVdKZTY0L0ZwbHloSW5lYXIxZmoxdGlWRFBaRjVFUU52YjRhekhiT3M2STV2cnA0c0hhUU5xSUZONmxEL2ppTll2UUNaWjhxQkl2bENIREZsTktSTUlweXpkNmtROHhCaGtxbS95UzcwWk9IeFpNQXoxYmthRTBRR3pnb1BaTi9jRT0=

Using authorization code
2. curl --request POST --url http://my-test-domain:7777/oauth2/rest/token --header "authorization: Basic YzU0OTY2ODg4YWIyNGVhNGE5ZjMwNTdlODE2NTYwOTI6U0FQUWlZQTN5" --header "cache-control: no-cache" --header "content-type: application/x-www-form-urlencoded" --header "x-oauth-identity-domain-name: mydomain" --data "grant_type=AUTHORIZATION_CODE&redirect_uri=https%3A%2F%2Fwww.domain.ro%2Ffix%2Fcustomer%2Faccount%2FloginAuthorize%2F&code=Yk00cUVUb0IxUEVvVmU2ZWphZkdSZz09fkhvWG9tTnJ4MFo1YStwWFJlZTR1VEF2MDNybVhleVUrK2hDRlVaS2puNHUxUXVBVkkvT1Z5MVM4Y08rSFFsenhRVktJaEExZS9iTURMQm1wYllyemtzYUtxVVJ4UUNJa0ZaZXlwOEN6N1l6V1B1d3lIbGh6YnIxMUQ3MHU0TklVQ3dzN2MzbE9wRGwyUzVpbkZMZnJ5NGNUZnpqa1dvT3Q3dXdDT3lXT2JIN0pPWk9mZ3ZpNmlwcFZyYkNDM1J4dnRxNDdHa0pRZklnNkpzeFAvMEFFT3BTT0gvRUtiQTluM1F1SmxJcFZNOVdKZTY0L0ZwbHloSW5lYXIxZmoxdGlWRFBaRjVFUU52YjRhekhiT3M2STV2cnA0c0hhUU5xSUZONmxEL2ppTll2UUNaWjhxQkl2bENIREZsTktSTUlweXpkNmtROHhCaGtxbS95UzcwWk9IeFpNQXoxYmthRTBRR3pnb1BaTi9jRT0=

{"access_token":"eyJraWQiOiJUZWxla29tRG9tYWluIiwieDV0IjoiVHUxX0I0cUdVOGJlQVZoRlpGQ0lkZVgtSFQwIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJodHRwOi8vdm0tdG9sNzA0LnRlbGVrb20ucm86MTQxMDAvb2F1dGgyIiwiYXVkIjoiVXNlclByb2ZpbGVBVEciLCJleHAiOjE1MzI2MzA4NDcsImp0aSI6IjlYLW1hTlY1LVRteTZQVEhPUmdxSUEiLCJpYXQiOjE1MzI2MjcyNDcsInN1YiI6ImRhbi5jaGlyaWxhQG0td2FyZS5ldSIsImNsaWVudCI6ImM1NDk2Njg4OGFiMjRlYTRhOWYzMDU3ZTgxNjU2MDkyIiwic2NvcGUiOlsiVXNlclByb2ZpbGVBVEcubWUiXSwiZG9tYWluIjoiVGVsZWtvbURvbWFpbiJ9.E7u2w1GlxnXlTwAvgdPqDaQMiBiqtRFIwhGJEFelWB-x8jodAgdVpplHq2dUMsLJRHKNrE9WdAQP3uTIu8REoriNYVmvzEnqQxATmRzwEQB2WsQ2g1oUhNGQO-1Ul4XawwKOUIg5LimTDO-8V1k2G8DCzvPJIfcFfAw7n6BnIbbYaUXJvkQuPn13aRt2u75WTZHZNFgLfQsq9q8IK0b__wXSf3ncxbKhU3ncsmC5LJ92L1wN_PGnlJTCGJJVQ6THCFd2pj89qunfd6apgnhDGaTtii2UVcUrthI9GNDYranyB7sDNdnQYEKl-mMW74KbXQK7WUo9yqoXW8-VqCV6IA","token_type":"Bearer","expires_in":3600,"refresh_token":
"3qGRpX50LZi+jOAZELkOiw==~Rb1jlqkHd2SWJyzXVupIsEmYkV3vGZ/+VKL9gTYTYvE0lenoODRHBGq+tzi1k+phLLTXZJQ3xhNQ0oy3X8YrsR1EVJOcsudJN2UfBYAVYiUenr9x+UAbuiIZ0WJi1SFBtFpdRKeTyqso47tJ71Fbai7xkvPsabnRPcbvBA0ONsWLRB8QfzTYXHhXoT5cVDe/0CPlkTdLsXcXeO3vGjtu4iuDUxW/+ExCrxackn2tN/gA0su493cTh4zwo3Cxb7lBZ9/iaH405JD8AzAnMQklXRDv3cewHEBJYdQ2Jx7C7Q1503DB38FYvoWKJOKg6rMa"}
refresh_token:
3qGRpX50LZi+jOAZELkOiw==~Rb1jlqkHd2SWJyzXVupIsEmYkV3vGZ/+VKL9gTYTYvE0lenoODRHBGq+tzi1k+phLLTXZJQ3xhNQ0oy3X8YrsR1EVJOcsudJN2UfBYAVYiUenr9x+UAbuiIZ0WJi1SFBtFpdRKeTyqso47tJ71Fbai7xkvPsabnRPcbvBA0ONsWLRB8QfzTYXHhXoT5cVDe/0CPlkTdLsXcXeO3vGjtu4iuDUxW/+ExCrxackn2tN/gA0su493cTh4zwo3Cxb7lBZ9/iaH405JD8AzAnMQklXRDv3cewHEBJYdQ2Jx7C7Q1503DB38FYvoWKJOKg6rMa

3. Using refresh code to get the access code
curl --request POST --url http://my-test-domain:7777/oauth2/rest/token --header "authorization: Basic YzU0OTY2ODg4YWIyNGVhNGE5ZjMwNTdlODE2NTYwOTI6U0FQUWlZQTN5" --header "cache-control: no-cache" --header "content-type: application/x-www-form-urlencoded" --header "x-oauth-identity-domain-name: mydomain" --data "grant_type=REFRESH_TOKEN&scope=UserProfile.me&refresh_token=H3dIElrwUN3EwCzp18gY3w==~CUEly5mRK+7Y+VQfwfQtAEpmwR8pJ3G9eWT9voIOPgeCpJSBIorLgBxuEM2uk13H/Eekx+4YSWEDGHW5M5Y6IDLQC2iOO/gqzxEd4ez9qMQ1NN/i4wXas02K94b9facIgShnMNKtkWlfvrUdMzTg6f6OOT83OLgJosnOVUejwLE7xbUrLtNngphe/i1nRVAioBMhS2RA0dbMWxXG+F4beYKwiJEg1nrv8nLkCmnicj8uYDHn6iqB3sAdTfWK/SiLf1M26qK3+ubjfG1YAQ5lm1wWzJvYGj7KfxzPi6wHTPbY/CWzHAT+qkKbIktIK9Iu

=====

The result was

{"error":"invalid_grant","error_description":"Invalid Request"}

Changes

 NA

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.