Expected behavior
After going through the OAuth 2.0 authorization code flow and obtaining an access token and refresh token, I'd expect to be able to exchange the refresh token for a new access token.
$ curl -X POST -F 'grant_type=refresh_token' \ -F 'refresh_token=MY_REFRESH_TOKEN' \ -F 'client_id=MY_CLIENT_ID' \ -F 'client_secret=MY_CLIENT_SECRET' \ https://meta.wikimedia.org/w/rest.php/oauth2/access_token {"token_type":"Bearer","expires_in":9223371259704000000,"access_token":"MY_ACCESS_TOKEN","refresh_token":"MY_REFRESH_TOKEN"}
Observed behavior
I'm unable to get a new access token.
$ curl -X POST -F 'grant_type=refresh_token' \ -F 'refresh_token=MY_REFRESH_TOKEN' \ -F 'client_id=MY_CLIENT_ID' \ -F 'client_secret=MY_CLIENT_SECRET' \ https://meta.wikimedia.org/w/rest.php/oauth2/access_token {"error":"invalid_request","error_description":"The refresh token is invalid.","hint":"Token has expired","message":"The refresh token is invalid."}
To do
- See if someone else can reproduce this error.
- Check the value of $wgOAuth2RefreshTokenTTL on Meta.