Closed scottmetoyer closed 2 years ago
Are you discarding the refresh tokens?
We're using this with Laravel Passport (password grant) and the refresh tokens are being saved in the oauth_refresh_tokens table.
The reason I ask about discarding is sometimes, when you use a refresh token, it is then marked as invalid but due to connection issues, you might not receive the corresponding new access token.
When you go to re-use the refresh token, it is no longer valid and you end up having to request a brand new access token/refresh token combo.
We addressed this in the library, allowing you to retain refresh tokens indefinitely until they are manually invalidated. In the AuthorizationServer class there is a function called revokeRefreshTokens()
that handles this functionality.
I've checked and it looks like Passport doesn't use this toggle at present. Maybe @driesvints would consider a PR for it. I hope that is of use. Alternatively you might be able to customise your Passport instance to set this boolean
I'm not entirely sure what's needed for that but if you attempt a PR we can go from there.
I'm seeing this error several times a day in our log:
The majority of auth requests are going through just fine, this only pops up occasionally and after the users have successfully authenticated and performed a few actions through our API.
Are there any additional troubleshooting steps or ideas for figuring this out?