OAuth 2 token refresh fails #5798
Comments
vivaladan
added
B-bug
|
Should be fixed in #5763 @vivaladan can you still reproduce this in 2023.1.0-beta.3 ? |
|
I think it's unrelated to #5763, I can reproduce. I was checking logs and found that the difference in the refresh token request was that it was missing client_id and client_secret from the body. Which led me to look at the select list option called 'Credentials' which has the options 'In Request Body' and 'As Basic Auth Header (Default)'. On previous versions '2022.7.0' and prior, this setting didn't affect refreshing. Which is correct as per the spec 'The Client sends the parameters via HTTP POST to the Token Endpoint using Form Serialization'. I found that setting it explicitly to 'In Request Body' fixes the issue for me in newer versions. But I would suggest caution because from what I can tell (according to the spec) it should always be passed within the body at least for refresh requests. I'm attempting to confirm whether this is correct behaviour. |
|
@vivaladan To add to this, |
|
This is still happening on 2023.2.2. |
|
Concur. I rolled back to 2022.7.0 and will stay there until this doesn't break all my collections. @filfreire Currently not fixed. The setting should not effect token refreshes. |
|
Still having the issue with Version: Insomnia 2023.4.0 As workaround use |
|
Hello I confirm the workaround : in oauth2 advanced options , set credentials : "in request body" according to oauth2 spec, the Client, here insomnia, MUST authenticate to the Token Endpoint using the authentication method registered for its client_id. authentication method includes HTTP Basic authentication, including the Client Credentials in the request body etc… I have analyzed the timeline file with details of the refresh token request: I confirm that the needed Authentication http header is missing. as a consequence, insomnia obtain a http 400 error with this content: {"error":"unauthorized_client","error_description":"INVALID_CREDENTIALS: Invalid client credentials"} |
Expected Behavior
Refreshing tokens whether manually or automatically should work. It previously worked, but one of the more recent updates seems to have broken it.
Actual Behavior
Clicking refresh shows
[oauth2] Failed to refresh token url=https://[omitted]/connect/token status=400
A work around is to clear and fetch tokens again, where it gets issued a new id/access/refresh token. I have taken the refresh token and tested manually that it works.
It seems that something insomnia is passing with the connect/token request, perhaps in the body, is not correct and the identity server is rejecting it with a 400.
I'm unable to dig into any details about the request. There is no 'response timeline' button like a successful OAuth 2 request would give.
Another work around is to roll back to 2022.7.0 which can refresh correctly
Reproduction Steps
Is there an existing issue for this?
Additional Information
Both 2023.1.0-beta.3 and 2022.7.5 have this problem.
Insomnia Version
2022.7.5
What operating system are you using?
macOS
Operating System Version
Ventura 13.2.1
Installation method
downloaded from insomnia.rest. also auto update.
Last Known Working Insomnia version
2022.7.0
The text was updated successfully, but these errors were encountered: