I did a mistake in one of my clients and forget to set the refresh_token.
I use oauth2 within spring-boot version 1.4.2.RELEASE. I try to get an access-token with a refresh-token but do not set the refresh token:
Request:
---> POST http://XXX/oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Content-Length: 24
Authorization: Basic XXX
grant_type=refresh_token
Response:
<--- HTTP/1.1 500 (78ms)
Transfer-Encoding: chunked
X-Frame-Options: DENY
Cache-Control: no-store
X-Content-Type-Options: nosniff
Connection: close
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Application-Context: XXX
Date: Fri, 06 Jan 2017 12:36:41 GMT
Content-Type: application/json;charset=UTF-8
{"error":"server_error","error_description":null}
I think it would be better if the code would be 400 with the description “refresh token not present” or similar. That would have helped me.
I had the same issue.
The problem seems to rely in the RefreshTokenGranter class, since it is not checked if the value of the refresh_token is not set. See: https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java#L46
Most helpful comment
I had the same issue.
The problem seems to rely in the RefreshTokenGranter class, since it is not checked if the value of the refresh_token is not set. See: https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java#L46