Identity Server 4 /connect/token return 400 Bad Request when using grant_type:refresh_token
I'm using Identity Server 4 as the Identity Provider for an Anuglar SPA. The application authenticates and authorizes fine, however, randomly we encounter an issue where the logged user is suddenly kicked out, well within the token lifetime. When we inspect the network logs, we realized that the /connect/token endpoint with the grant_type: refresh_token returns a 400. So my assumption is that when the application tries to get a new token using the refresh token, the operation fails.
Following are the client details for the FE application:
[AllowOfflineAccess] = true
[IdentityTokenLifetime] = 300,
[AccessTokenLifetime] = 3600,
[RefreshTokenUsage] = true,
[AbsoluteRefreshTokenLifetime] = 2592000,
[SlidingRefreshTokenLifetime] = 1296000,
[RefreshTokenExpiration] = true
Like I said, this behavior is random, so we can't pinpoint why it's happening.
Any thoughts?
Attached a screenshot of the network log showing the error:
Could it be that one of the cookies involved expires? or that there are duplicate requests for the refresh token (if you use on-time-refresh tokens) if so you might get logged out.
If you see duplicate requests, that depends on how and what library (if any) you use to request new access tokens.
The other option if you can't solve it, is to disable one-time refresh tokens in IdentityServer (RefreshTokenUsage). see https://docs.duendesoftware.com/identityserver/v6/tokens/refresh/
- Identityserver from duende behind caddy has http in the openid config
- How to send email id when calling identity server 4 to login
- IdentityServer token issuer claim missing port number in issued JWT token
- Identity Server 4 - Unable to authenticate user
- How to find out to use best flow in IdentityServer?
- Identityserver 4 in docker compose The remote certificate is invalid according to the validation procedure
- Deploying .net Core 3 linux container on azure web app container with IdentityServer4 certification/http error
- Login to multiple Apps with IdentityServer4
- duende identity server 6.2 session managment
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?
- .net core 3.1 Google SSO Callback url not hit
- What are stored in PersistedGrant table for IdentityServer
- .NET 8 upgrade: OIDC correlation failure with IdentityServer4 on HTTP when using machine name instead of localhost
- Login with Microsoft External Account -Issue when the user cancels the consent prompt during authentication
- Error in configuring identity server. The cookie '.AspNetCore.Identity.Application' has set 'SameSite=None' and must also set 'Secure'
- In Identity Server 4, I have a User's identity but 0 Claims
- Is there a way to connect/disconnect external OpenId providers IdentityServer 4 "on the fly"
- Clarification on Identityserver 4 protecting API scopes with ApiResources
- Exchanging azure AD token with Identity server token
- IdentityServer4 and SSO
- Invalid_client using OpenIdConnect in client application
- "Key vault reference error" in azure web app configuration setting
- why offline_access scope is needed to request refresh token in IdentityServer (OAuth2)?
- Identity Server 4 ASP.NET Quickstart 'refused connection'
- Bearer token not set as expected
- Setting up JWT authentication using the Identity Server and get access token
- ApiResource vs ApiScope vs IdentityResource
- C# .Net Core API Authorized route with Identity Server 4
- User.Identity.Name is null after local login
- Error with Identity Server and Client App