In short, if a request is sent to the /token endpoint with both login credentials in the request body and a refresh token cookie, the above error is returned.
It's been reported that in at least some front end environments, cookies are sent automatically and therefore need to be cleared in order to make a successful call.
It's been suggested that the handling be changed so that if login credentials are provided, then the refresh cookie is ignored, and so is treated like a normal login request.
This was initially reported on WordPress.org:
In short, if a request is sent to the
/token
endpoint with both login credentials in the request body and a refresh token cookie, the above error is returned.It's been reported that in at least some front end environments, cookies are sent automatically and therefore need to be cleared in order to make a successful call.
It's been suggested that the handling be changed so that if login credentials are provided, then the refresh cookie is ignored, and so is treated like a normal login request.