Issue with refreshing access token

api

#1

Hi

We have been experiencing an issue with using the refresh token to get a new access token and was hoping someone could help.

After a user has first authenticated, we store both the refresh token and access token which expires after 3600 seconds. We then make the following post call after this time

https://app.asana.com/-/oauth_token?grant_type=refresh_token&client_id=AAA&client_secret=AAA&redirect_uri=https://test.com/im/asanas&refresh_token=AAA

and get the following response as expected

{"access_token"=>"AAA", "token_type"=>"bearer", "expires_in"=>3600, "data"=>{"id"=>1, "gid"=>"1", "name"=>"Scott", "email"=>"scott@aaa.com"}}

However when this new access token expires after another 3600 seconds, we make the exact same call again using the original refresh token, but this time get a failed response.

{"error"=>"invalid_authorization", "error_uri"=>"https://asana.com/developers/documentation/getting-started/authentication", "error_description"=>"The authentication scheme \"Bearer\" is invalid"}

Can anyone shed any light on why the first call works, but after that we just get failed responses?

Thanks
Scott


#2

Those OAuth processes are so hard :sweat_smile: @Diakoptis any idea? I think I succeeded but don’t recall how…


#3

Hi @Scott_Sherwood,

This error means you are sending an invalid Authorization header when refreshing the token. Check to make sure that your outgoing request doesn’t contain any auth header with user credentials. If the Authorization header is present, it is only allowed to contain Basic auth with the OAuth app’s credentials, not the user’s credentials.


#4

To build on @Joe_Trollo’s answer, if I recall correctly, you shouldn’t have to pass an Authorization header when making your POST request to https://app.asana.com/-/oauth_token - all the credential-y stuff is in the URL parameters every time. (I think that’s right :crossed_fingers:)

I could imagine the scenario where the first request doesn’t have the Authorization header but the second one does (for instance, logic like “If you have credentials, set the header for every request” would trigger this case). @Scott_Sherwood can you check to see if this seems like it might be happening?


#5

Hi

Thanks both for the help here, that’s been really useful and pointed me in the right direction, much appreciated.

Scott