Error getting a new token with a valid refresh token with authorization code flow

Question

I am using WSO2 API manager 1.10.0 with WSO2 Identity Server 5.1.0 configured as the key manager and MySQL Community Server 5.6 for the databases. When I try to refresh a token (refresh_token grant type) obtained with the authorization code grant type, I’m getting a 400 Bad Request error (invalid_grant - Provided Authorization Grant is invalid) and I am unable to get a new token. I then tried with the client_credentials and password grant types and for those ones I am able to refresh the token.

I checked the Identity Server logs and found out that there is an error when Identity server tries to retrieve the latest token (logs below).

TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Access Token request received for Client ID OQU0_FyRQcdvTFbygziFw67ASHwa, User ID null, Scope : [openid, profile] and Grant Type : refresh_token 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} -  Can authenticate with client ID and Secret. Client ID: OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} -  Grant type : refresh_token Strict client validation set to : null 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Client credentials were available in the cache for client id : OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Successfully authenticated the client with client id : OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler} -  Error while retrieving the latest refresh token 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -  Invalid Grant provided by the client Id: OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -  OAuth-Error-Code=invalid_grant client-id=OQU0_FyRQcdvTFbygziFw67ASHwa grant-type=refresh_token scope=openid profile 
TID: [-1234] [] [2016-12-15 12:40:06,492] DEBUG {org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask} -  Running deployment synchronizer update... tenant : carbon.super 
TID: [-1234] [] [2016-12-15 12:40:06,588] DEBUG {org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask} -  Running deployment synchronizer commit... tenant : carbon.super 

I debugged the source code and I think the issue may be related to the following SQL query, in particular with the USER_DOMAIN=null clause.

SELECT ACCESS_TOKEN, REFRESH_TOKEN, TIME_CREATED, REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD, TOKEN_STATE, USER_TYPE, TOKEN_ID, SUBJECT_IDENTIFIER FROM IDN_OAUTH2_ACCESS_TOKEN WHERE CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE CONSUMER_KEY = 'OQU0_FyRQcdvTFbygziFw67ASHwa') AND AUTHZ_USER='michael.pinheiro' AND TENANT_ID=-1234 AND USER_DOMAIN=null AND TOKEN_SCOPE_HASH='369db21a386ae433e65c0ff34d35708d' ORDER BY TIME_CREATED DESC LIMIT 1

I also noticed that when using authorization code grant type, the created access token in table IDN_OAUTH2_ACCESS_TOKEN has user domain column set to NULL however when using password or client_credentials grant type the value is “PRIMARY”.

Could it be a bug or am I missing any parameter that would somehow set the user domain to PRIMARY when creating the new access token?

I write down all the steps that I executed to reproduce the issue:

Step 1: I’m getting the authorization code by redirecting to https://identity-dev.domain.pt/oauth2/authorize?response_type=code&client_id=OQU0_FyRQcdvTFbygziFw67ASHwa&scope=openid profile&redirect_uri=http://localhost:8100

Step 2: Using the received code in the previous step, I am getting the access token (and refresh token) by executing:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=authorization_code&client_id=OQU0_FyRQcdvTFbygziFw67ASHwa&client_secret=3kC6Uf9f8Lr8HVl2n03dhQc57Jsa&scope=openid profile&code=fd2f827afefba0ab0b17f9d701ad1488&redirect_uri=http://localhost:8100' "https://identity-dev.domain.pt/oauth2/token"

Step 3: Using the received refresh token in the previous step, I execute the following request to get the new token however I received the 400 bad request as explained in this post.

curl -X POST -H "Authorization: Basic T1FVMF9GeVJRY2R2VEZieWd6aUZ3NjdBU0h3YToza0M2VWY5ZjhMcjhIVmwybjAzZGhRYzU3SnNh" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d 'grant_type=refresh_token&scope=openid profile&refresh_token=7a7da99d70d48e10ac82e3681c63b0a1' "https://identity-dev.domain.pt/oauth2/token"

Any help is welcomed!

Answer 1

This issue is already reported in [1] and fixed in the later releases. See the fix in the jira link. You can try with APIM 2.0.0 with IS 5.2.0 configured as the key manager

[1] https://wso2.org/jira/browse/IDENTITY-4322