Invalid Refresh Token error for external Identity Provider

I am seeing the below error when I generate the refresh token from an external identity provider and try to store it in Apigee.

HTTP 400

{"ErrorCode" : "invalid_request", "Error" :"Invalid Refresh Token"}

I am trying to use the refresh token feature with an external identity provider. Below is my refresh token policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="OAuthV2-Refresh-Token">
  <DisplayName>OAuthV2-Refresh-Token</DisplayName>  
<Properties/>  
<Attributes/>
  <Operation>RefreshAccessToken</Operation>  
<ReuseRefreshToken>true</ReuseRefreshToken>  
<StoreToken>true</StoreToken>  
<ExpiresIn ref="apigee.expires_in">1800000</ExpiresIn>  
<ExternalAccessToken>apigee.access_token</ExternalAccessToken>  <ExternalAuthorization>true</ExternalAuthorization>  
<ExternalRefreshToken>apigee.refresh_token</ExternalRefreshToken>  
<RefreshTokenExpiresIn ref="apigee.expires_in">691200000</RefreshTokenExpiresIn>  
<RefreshToken>apigee.refresh_token</RefreshToken>  
<GenerateResponse enabled="true"/>  
<Tokens/>
</OAuthV2>

I have set the client Id, secret and the granttype in an assignmessage policy as below

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><br />
<AssignMessage async="false" continueOnError="false" enabled="true" name="AV-RefreshTokenVariables"><br /> 
<DisplayName>AV-RefreshTokenVariables</DisplayName><br /> 
<Properties/><br /> 
<AssignVariable><br /> 
<Name>oauth_external_authorization_status</Name><br /> 
<Value>true</Value><br /> </AssignVariable><br /> 
<AssignVariable><br /> 
<Name>request.formparam.client_id</Name><br /> 
<Value>BAADBEEF</Value><br /> 
<Ref>request.header.x-api-key</Ref><br /> 
</AssignVariable><br /> 
<AssignVariable><br /> 
<Name>request.formparam.client_secret</Name><br /> 
<Value>BAADBEEF</Value><br /> 
<Ref>devapp.secret</Ref><br /> 
</AssignVariable><br /> 
<AssignVariable><br /> 
<Name>request.formparam.grant_type</Name><br /> 
<Value>refresh_token</Value><br /> </AssignVariable><br /> 
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables><br /> 
<AssignTo createNew="false" transport="http" type="request"/><br /></AssignMessage>

I have referred to the post below, I have the ReuseRefreshToken set to true and the RefreshToken attribute as well set.

https://community.apigee.com/questions/20436/invalid-refresh-token.html

Any pointers on what configuration I may have missed to get this working?

0 1 537
1 REPLY 1

Resolved this, had the wrong input variable for the RefreshToken, was using the newly generated refresh token that was returned from the IDP in the service callout response, instead of the one that was received in the request.

<ExternalRefreshToken>apigee.refresh_token</ExternalRefreshToken>  
<RefreshTokenExpiresInref="apigee.expires_in">691200000</RefreshTokenExpiresIn>  
<RefreshToken>input.refresh_token</RefreshToken>