Refresh token endpoint returns invalid_request error (expecting invalid_grant)

Hey folks,

I have just tested the latest docker image (oryd/hydra:v1.4.2 at time of writing), and using the REST API I have gone through the normal process to setup a new client, noting its id and secret.

I then go through the auth code flow and get the auth code, going back to the REST API I can then succesfully exchange it for an Access Token and Refresh Token.

The normal Refresh Token endpoint also works, and I can continue to refresh it and use the new tokens - so the happy path functionality all works ok.

However, if I attempt to refresh a token with an invalid token, I was expecting to get an invalid_grant error but I get an invalid request message instead:

    "error": "invalid_request",
    "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed",
    "error_hint": "Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified.",
    "status_code": 400

I know the message is otherwise well formed, as it works fine with a valid RefreshToken. I have also tested the AccessToken endpoint, providing an invalid auth code, and I get the invalid_grant message as below:

    "error": "invalid_grant",
    "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
    "error_hint": "The authorization code has already been used.",
    "status_code": 400

As you can see in that error description of the invalid_grant, it explicitly mentions this error is expected with an invalid refresh token.

Is there some configuration I need to make sure I get the correct invalid_grant error message for an invalid refresh_token?

There’s actually a PR for that already!

Awesome, thanks - I have tested this fix with 1.4.10, and it works correctly if I attempt to refresh a token with a non-existent/incorrect refresh tokens, it now returns invalid_grant, however, if I reduce the TTL on the tokens and I attempt to refresh with an expired token it still returns the old invalid_request error.

I assume this case should also return invalid_grant (the response message with invalid_grant suggests it covers this scenario too).

Nice catch - would you mind opening an issue or PR? :slight_smile: