I have an OAuthV2 policy in my proxy, linked to a /token endpoint. Because I want to support exchanging both an authorization code, and a refresh token for an access token on the same endpoint, I deliberately haven't specified an Operation, but opted for 2 SupportedGrantTypes in stead: authorization_code and refresh_token. Here's the entire policy code:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAccessToken">
<DisplayName>GenerateAccessToken</DisplayName>
<Properties/>
<Attributes/>
<ExternalAuthorization>false</ExternalAuthorization>
<SupportedGrantTypes>
<GrantType>authorization_code</GrantType>
<GrantType>refresh_token</GrantType>
</SupportedGrantTypes>
<GenerateResponse enabled="true"/>
<Tokens/>
<RefreshToken>request.formparam.refresh_token</RefreshToken>
</OAuthV2>
The RefreshToken property shouldn't be necessary because that's supposed to be the default anyway, but I've added it just to make sure.
When using the authorization_code GrantType, everything is working fine. However, when I use the refresh_token GrantType, I receive the error: {"ErrorCode" : "invalid_request", "Error" :"Invalid Refresh Token"}.
To make sure the refresh token I'm using isn't actually invalid, I've created a separate endpoint, specifically with RefreshAccessToken as Operation. In this case, the exact same request (only different url) does result in a new access token. This is looking like:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="RefreshToken">
<DisplayName>RefreshToken</DisplayName>
<Properties/>
<Attributes/>
<ExternalAuthorization>false</ExternalAuthorization>
<Operation>RefreshAccessToken</Operation>
<SupportedGrantTypes/>
<GenerateResponse enabled="true"/>
<Tokens/>
</OAuthV2>
Does anyone have an idea why it doesn't work when combining the authorization_code and refresh_token grant types?
LinkedIn
Twitter
