Refresh_Token Expires within a few hours

[Khungersumit]

Hi

I see some issues with refresh_token.

After getting authCode, I got access_token(valid for 1 hr) and refresh_token(valid for 31 days, I saved in DB) After 1 hr access_token is expired and I generated a new access_token using the refresh_token(from my DB). Now I got new access_token and refresh_token (I updated the new refresh_token in my DB)

After a few hours(>7-8 hours) API says "Request failed: Invalid refresh token"

That is not the expected behavior. Has anyone faced a similar issue before? :)

[xpagedeveloper]

I haven’t seen any similar issue. I suggest you create some kind of audit log with the tokens. And create an issue with fortnox support.

[Mmmattias]

Same issue here.

Created the token in the afternoon and the morning after it was invalid.

I guess this is not related to the C# client library but still a vital issue to solve if we are to be able to work with our integration.

[richardrandak]

Did you generated the tokens with the Fortnox SDK? If not, make sure to add access_type=offline parameter to the authorization URL.. not doing that could result in short-lived token.. but that's just guessing. I have not encountered this issue myself.

Just so you know, this repository is not affiliated with Fortnox anymore. If you feel the issue is not caused by this library, please write directly to Fortnox official support and describe the problem to them.

[Mmmattias]

The token was created with the SDK but I spoke with the support instead since I noticed this repo wasn't maintained by Fortnox.

They however do not acknowledge that this error exist so I'll keep an eye out for it happening again before we go live.

[yasirjanjua]

I have been facing this same issue for the last 2 weeks. our application is in production and now this issue has started appearing and is very frustrating for our customers as they need to reactivate the token. FYI, I am using access_type=offline I thought it was an issue in my code but I just saw this thread where everyone faces this issue. is there any solution for It?

I believe there is some sort of throttling on this endpoint. https://apps.fortnox.se/oauth-v1/token. please solve this issue

[xpagedeveloper]

I have apps that is running the SDK with multiple customers. And have done so for several months with no problem. Make sure that the functions that update the access and refresh tokens is blocking code.

[yasirjanjua]

@xpagedeveloper I am making blocking calls to refresh the tokens but the token gets invalidated on higher request rates. I sent 30 requests simultaneously and the error was reproducible.

[Khungersumit]

@yasirjanjua @Mmmattias

I can imagine how frustrating this issue was for me and can be for anyone 😀

Here are a couple of suggestions that you can follow:

1). Make sure there is only one user at a time generating/using the App and the generated auth creds. if 2 users(consider A dev and a QA) using the same then it is gonna produce the same issue. 2). As an alternate ask your customer to re-authenticate the App and give consent to the required permissions whenever refresh_token expires.

[Khungersumit]

I have apps that is running the SDK with multiple customers. And have done so for several months with no problem. Make sure that the functions that update the access and refresh tokens is blocking code.

Hi @xpagedeveloper xpagedevelope I see you never have had this issue, Can you please answer these questions?

1). How often do you generate access and refresh tokens? 2). What is the expected/average number of Apis calls per customer (for which you generate the tokens) on an average day you make?

[xpagedeveloper]

1). How often do you generate access and refresh tokens? 1 -5 time per day and customer

2). What is the expected/average number of Apis calls per customer (for which you generate the tokens) on an average day you make?

aprox 1-30 /customer and day

[kkrogulski]

If you login with the same Fortnox API user again, you invalidate the previous refresh token.

[xpagedeveloper]

If you login with the same Fortnox API user again, you invalidate the previous refresh token.

Yes if you request a new access token using a refresh token any previous refresh tokens is invalid. If you authorize the same application again that will make any previous refresh tokens invalid. If you login using the web with the user that validated the API access that should not invalidate any refresh tokens.