6

I'm using Passport on Laravel 5.5, receiving error when trying to refresh access token - only on production server - local dev environment works fine!

This is the error returned:

{
"error": "invalid_request",
"message": "The refresh token is invalid.",
"hint": "Token is not linked to client"
}

I've verified that the tokens and clients exist on the database, are not expired, have not been revoked, are stored correctly etc.

Because the system is a multi-tenant system (with each tenant having it's own database) I did not create passport clients using the command

php artisan passport:client

instead I copied the passport oauth_clients table and contents for each tenant - so that each tenant uses the same client credentials for eg logging in from frontend, logging in from app (but with different endpoints).

I'm at a loss as to why it's working fine on my local machine but not production.

Does anyone know what exactly php artisan passport:client does besides creating a row in oauth_clients table?

I'm thinking that perhaps something more than just copying the oauth_clients table contents is needed..

Any advice appreciated! Thanks

jeremyj11
  • 589
  • 1
  • 5
  • 15

2 Answers2

1

Well after digging around in vendor code I fixed the problem by modifying

vendor/league/oauth2-server/src/Grant/RefreshTokenGrant.php

function validateOldRefreshToken

changed

if ($refreshTokenData['client_id'] !== $clientId) {
        $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_CLIENT_FAILED, $request));
        throw OAuthServerException::invalidRefreshToken('Token is not linked to client');
    }

to

if ($refreshTokenData['client_id'] != $clientId) {
        $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_CLIENT_FAILED, $request));
        throw OAuthServerException::invalidRefreshToken('Token is not linked to client');
    }

even though $clientId was matching, the function is passed a string (as required) but the $refreshTokenData['client_id'] is an integer.

fml.

RAUSHAN KUMAR
  • 5,846
  • 4
  • 34
  • 70
jeremyj11
  • 589
  • 1
  • 5
  • 15
0

The message: "The refresh token is invalid" seems misleading in the case OP described. Actually, this exception is raised while type checking of passed client_id param. For me the datatype of the passed param (client_id) was string. Which should be a number(int) instead.

Changing following

client_id: "2"

To

client_id: 2

resolved my issue.

Note: It is not recommended to alter the Vendor. Instead please look for the client_id parameter's datatype in payload.

Waqas
  • 714
  • 5
  • 13