search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.53k stars 1.12k forks source link

examples : "Test Refresh Token" example unclear #1314

Closed jwoehr closed 1 year ago

jwoehr commented 1 year ago

Testing the refresh token grant example always returns {"error":"invalid_request","error_description":"The refresh token is invalid.","hint":"Cannot decrypt the refresh token","message":"The refresh token is invalid."}

Probably I am misunderstanding the instruction in the README.md, but once I understand, I'll submit a PR for the README.md

$ curl -X "POST" "http://localhost:4444/client_credentials.php/access_token"   -H "Content-Type: application/x-www-form-urlencoded"  -H "Accept: 1.0"        --data-urlencode "grant_type=client_credentials"        --data-urlencode "client_id=myawesomeapp"       --data-urlencode "client_secret=abc123"       --data-urlencode "scope=basic email"
{"token_type":"Bearer","expires_in":3600,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJteWF3ZXNvbWVhcHAiLCJqdGkiOiI2OWIwNzQ0YjcxNDFlNWVlNmVkYTVlYjI4MDI1N2RmYWE3YTA3NzhlYmIzYzNlZWY1ODJhYjE0ZDM3YWU3YzRhZDMxODAxYWI0YTRlOWYyYyIsImlhdCI6MTY2ODk3OTI4My44MDQwMywibmJmIjoxNjY4OTc5MjgzLjgwNDAzNiwiZXhwIjoxNjY4OTgyODgzLjgwMzg0NSwic3ViIjoiIiwic2NvcGVzIjpbImJhc2ljIiwiZW1haWwiXX0.Emr7RzUXnsNOQ3-AYfFvSLHNAl7mawvIBPyCzf8FocdtNUSjDo_7_EOr4pipapMWgfVmVUSE4kJ9wBIOnE_rF9AvzxZbcu6i7HtOcLDZHJZBkEJkAToS9awYAE483y7ivXu-b0PF7nvy8PfME9XTB-LwNT0b4PNeQSAtnDyj7aMa0LFNkb-qB4rXH-zxixbZ8iElqDHa_vKBj2kzMNYhV1LKg4D4Ry-rrkha-wk7RTQ3CrkL93d_krHelzH5GpqT7f2HcAOGNU2tSl_B2uNd5fZy6eFvb-sjcScgmtg8pbXJj_eI31L7JU3AWDlkh7VllFgG9T_NjouyJVOX1Gx6nw"}
$ curl -X "POST" "http://localhost:4444/refresh_token.php/access_token"        -H "Content-Type: application/x-www-form-urlencoded"  -H "Accept: 1.0"        --data-urlencode "grant_type=refresh_token"     --data-urlencode "client_id=myawesomeapp"       --data-urlencode "client_secret=abc123"       --data-urlencode "refresh_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJteWF3ZXNvbWVhcHAiLCJqdGkiOiI2OWIwNzQ0YjcxNDFlNWVlNmVkYTVlYjI4MDI1N2RmYWE3YTA3NzhlYmIzYzNlZWY1ODJhYjE0ZDM3YWU3YzRhZDMxODAxYWI0YTRlOWYyYyIsImlhdCI6MTY2ODk3OTI4My44MDQwMywibmJmIjoxNjY4OTc5MjgzLjgwNDAzNiwiZXhwIjoxNjY4OTgyODgzLjgwMzg0NSwic3ViIjoiIiwic2NvcGVzIjpbImJhc2ljIiwiZW1haWwiXX0.Emr7RzUXnsNOQ3-AYfFvSLHNAl7mawvIBPyCzf8FocdtNUSjDo_7_EOr4pipapMWgfVmVUSE4kJ9wBIOnE_rF9AvzxZbcu6i7HtOcLDZHJZBkEJkAToS9awYAE483y7ivXu-b0PF7nvy8PfME9XTB-LwNT0b4PNeQSAtnDyj7aMa0LFNkb-qB4rXH-zxixbZ8iElqDHa_vKBj2kzMNYhV1LKg4D4Ry-rrkha-wk7RTQ3CrkL93d_krHelzH5GpqT7f2HcAOGNU2tSl_B2uNd5fZy6eFvb-sjcScgmtg8pbXJj_eI31L7JU3AWDlkh7VllFgG9T_NjouyJVOX1Gx6nw"
{"error":"invalid_request","error_description":"The refresh token is invalid.","hint":"Cannot decrypt the refresh token","message":"The refresh token is invalid."}
Sephster commented 1 year ago

You get a refresh token with the Auth Code grant so when you issue that call, you should get an access token and a refresh token back. You can then use the refresh token in the refresh token request. The client credentials grant doesn't issue one. Apologies for any confusion caused with this.