Using a refresh token does not return a new refresh_token

Question

Created Aug ’20

Replies 5

Boosts 1

Views 2.8k

Participants 6

When I use the Generate and Validate Tokens endpoint with an Authorization Grant Code, the endpoint returns a refresh_token and id_token among other things.

When the id_token expires, I can use the refresh_token to create a new one.

However, when I use the refresh token on this endpoint, it doesn't return a new refresh_token. Why is that?

Boost

Answer 1

cristianocucco OP

Sep ’20

Hi, did you solve the issue?
I'm getting the same problem... when validating a refreshtoken I get a tokenResponse with accesstoken and without refreshtoken. It seems reasonable except when I try to validate again the same refreshtoken I receive an "invalid_grant" error

1

Answer 2

tr-stan OP

Oct ’20

Yeah I'm getting the same issue too. It's frustrating because I looked through and am posting everything as Apple wants:

Code Block  {
grant_type: 'refresh_token',
refresh_token: myRefreshToken,
redirect_uri: myRedirectUri,
client_id: myClientId, 
client_secret: mySecretToken,
}

and it doesn't send back a new refresh_token in its response. And I also tried using the accessToken that's returned in the response and get a 400 error status code. I really don't know what I'm doing wrong if I'm missing something, or if Apple just has an error there.

0

Answer 3

biodi101 OP

Apr ’22

Because the original refresh token never expires, you can use it over and over until user revokes acces to app or changes password

0

Answer 4

Contoso OP

Jul ’23

Original refresh token never expires, agreed. But it can be invalidated by making changes to user profile. After such user actions, Apple will return invalid_grant. So far so good. But why is there a throttle limit of one request per day. Moreover access token issued by Apple expires in 3600 seconds.

1

Answer 5

dbtl88 OP

Sep ’24

I would really like an answer to this last question.

If the idea is that our API server gets a refresh + access token, then passes the access token to the (user side) app client, which they then use as a bearer token to access resources on the API server (at least, I think this is what is implied by the rather not-too-great docs), then you want to be able to either verify the access token on every request to your API server, which includes checking its validity. If it's nearing expiry, you should use the refresh token to request a new access token.

If you have access token validity at 1h, and throttling on token endpoint calls at 1 per day, that's a big fail.

Anyhow, I'd really like to know apple's preferred way of doing this, without us either (1) rolling our own token issuing on our servers; or (2) relying on a service such as Cognito in the middle to handle token issuing.

0