Hey folks,
I have just tested the latest docker image (oryd/hydra:v1.4.2 at time of writing), and using the REST API I have gone through the normal process to setup a new client, noting its id and secret.
I then go through the auth code flow and get the auth code, going back to the REST API I can then succesfully exchange it for an Access Token and Refresh Token.
The normal Refresh Token endpoint also works, and I can continue to refresh it and use the new tokens - so the happy path functionality all works ok.
However, if I attempt to refresh a token with an invalid token, I was expecting to get an invalid_grant error but I get an invalid request message instead:
{
"error": "invalid_request",
"error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
"error_hint": "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
"status_code": 400
}
I know the message is otherwise well formed, as it works fine with a valid RefreshToken. I have also tested the AccessToken endpoint, providing an invalid auth code, and I get the invalid_grant message as below:
{
"error": "invalid_grant",
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
"error_hint": "The authorization code has already been used.",
"status_code": 400
}
As you can see in that error description of the invalid_grant, it explicitly mentions this error is expected with an invalid refresh token.
Is there some configuration I need to make sure I get the correct invalid_grant error message for an invalid refresh_token?
