Web API 2 Owin Refresh Token doesn't work and return invalid_grant before its expiry time

Question

Refresh token works fine for 2 to 3 days but after few days it stops working.

On Authentication call for

grant_type = refresh_token

IIS return Bad request 400 with error message

{error : "invalid_grant"}

temporary solution

it works fine by restarting/recycling API instance on IIS.

Unable to find what is the issue with the IIS or the Owin why it works fine for few days while i have set an expiry time of 30 days for the refresh token.

This is the code used for refresh token

    var token = new RefreshToken()
    {
        RefreshTokenId = refreshTokenId,
        ClientId = clientid,
        UserEmail = context.Ticket.Identity.Name != clientid ? context.Ticket.Identity.Name : null,
        IssuedOn = DateTime.UtcNow,
        ExpiresOn = DateTime.UtcNow.AddDays(30)
    };

    context.Ticket.Properties.IssuedUtc = token.IssuedOn;
    context.Ticket.Properties.ExpiresUtc = token.ExpiresOn;

    token.ProtectedTicket = context.SerializeTicket();

I will be thankful for Any help regarding this issue.

I've added a provisional answer on the assumption that your refresh token is intended to be longer lived than your access token, but it's expiring when your refresh token does. If that's not the case, please let me know and I'll delete my answer. — ProgrammingLlama, Oct 12 '17 at 08:51
What is the expiration time of the access token? Can you add the provider code where the refresh token request is handled? — , Oct 12 '17 at 15:06
I have the same problem, but mine work just for some hours although I set the expiration to some month... — Mohamad MohamadPoor, Jan 02 '18 at 13:37
@GhulamMohayudin Did you find any solution for this? We are facing the same issue. — Ashutosh Chamoli, Apr 02 '19 at 13:36
@GhulamMohayudin Any suggestions on what we can try, for us, the API generates token at inconsistent times. And what you have tried out till now? — Ashutosh Chamoli, Apr 03 '19 at 09:50

score 0 · Answer 1 · answered Nov 17 '19 at 13:21

0

IIS by default recycles your app pool by calling a garbage collector to clear the memory on every 20 minutes, So if you store the refresh tokens in the ram (ex: a static dictionary or whatever data structure) they will be cleaned after the recycling. That's why the refresh tokens will no longer be valid even if their life time is longer.

answered Nov 17 '19 at 13:21

Hosam.Yousof

107
9

i have described in my question it works 2 to 3 days some time, not 20 minutes – Ghulam Mohayudin Apr 24 '20 at 07:42

Web API 2 Owin Refresh Token doesn't work and return invalid_grant before its expiry time

1 Answers1