How to get new access_token from refresh_token using django_oauth_toolkit?

Question

I am using django-oauth-toolkit version 1.1.2 to get access_token as seen below:-

Reauest:-

POST http://localhost:8597/login

{
    "application_id": "cuOt3raxH9ClbCrbbgP68iU6ssfO2N78TplxwlMq",
    "username": "test@gmail.com",
    "password": "test",
    "grant_type": "password"
}

Response:-

{
    "type": "success",
    "shortDescription": "User Logged in",
    "longDescription": "User logged in successfully",
    "success": "User Logged in",
    "success_message": "User logged in successfully",
    "data": {
        "access_token": "RXMXGNl2HqYJMVkCBkrrMU5aYFS8uU",
        "expires_in": 31536000,
        "token_type": "Bearer",
        "scope": "read write",
        "refresh_token": "wsLetw7c2Q56k07XoisWkEa7SYxORb",
        "user": {
            "id": "c7d9f8ee-5e87-4a70-9c07-6a2e8c13a50a",
            "created_at": "2019-11-21T16:55:45.817324+05:30",
            "email": "test@gmail.com",
            "first_name": "Test",
            "last_name": "User",
            "is_deleted": false,
            "is_email_verified": true,
            "last_login": "2020-02-19T11:17:24.656615+05:30",
            "landline_country_code": "us",
            "landline_number": "3242343434",
            "mobile_country_code": "us",
            "mobile_number": "34234234324",
            "role": "USER",
            "designation": "software engineer",
            "is_active": true,
        },
}

Now I want to use this 'refresh_token' to get new access_token, I am making the following request:-

Request:-

POST http://localhost:8597/o/token/

{
    "grant_type": "refresh_token",
    "client_id": "sHPPirW86SuOwDOfhxmag1fZ9oRCpHFS24wrZj00",
    "refresh_token":"wsLetw7c2Q56k07XoisWkEa7SYxORb"
}

Response:-

{
    "error": "invalid_grant"
}

There is something wrong with this request, can you please guide me how to fix it? Thanks.

Answer 1

The request looks alright. But do note that we'll also get the same invalid_grant error when the token is invalid. Since the toolkit uses refresh token rotation by default, this also includes the case when the refresh token has already been used, resulting in the same request working the first time, and then failing with invalid_grant error in all the subsequent tries, which I suspect might be the case with your request.

In addition, you may also want to check the refresh token object for that particular token used in your request and see if it has already been revoked or not.