Forum Discussion

zachtines's avatar
zachtines
Contributor
5 months ago

Refresh Token not returned from accessToken endpoint

For the Community API, Using the OAuth 2.0 grant flow, we're able to successfully retrieve an access token from the /api/2.0/auth/accessToken endpoint.

However, in it's response the refresh_token field is not returned. As a result we are then unable to refresh the token via /api/2.0/auth/refreshToken.

Here is the response we're getting from /api/2.0/auth/accessToken:

 

{
"status":"success",
"message":"",
"http_code":200,
"data":{
"access_token":"REDACTED",
"lithiumUserId":"REDACTED",
"token_type":"bearer",
"userId":"REDACTED",
"expires_in":3600
}
}

 

  • AdamN's avatar
    AdamN
    Khoros Oracle
    4 months ago

    Hi zachtines , I'd suggest checking whether the account you're using to login has Auto Sign-in enabled. If so, the refresh token will not be returned. This is what the "Note" on this page is referring to: https://developer.khoros.com/khoroscommunitydevdocs/reference/request-auth-token-oauth

    One thing that's not clear from the documentation is that disabling Auto Sign-in via the admin will not resolve this issue for existing accounts, since the preference will have already been stored in the existing account. You would need to login to the UI with the account and disable Auto Sign-in in the individual account's preferences.

    I hope this helps!

    • zachtines's avatar
      zachtines
      Contributor
      4 months ago

      Hey AdamN! Thanks for the suggestion and insight. Do you know the path in the Account Preferences of where that's located at the user level? We're not seeing it on our end.

      • zachtines's avatar
        zachtines
        Contributor
        4 months ago

        AdamN Also seems like the Note vs your reply is a little conflicting.

        "Make sure that the Turn-off Auto Sign-in checkbox is cleared"

        vs

        "... checking whether the account you're using to login has Auto Sign-in enabled. If so, the refresh token will not be returned."

        To confirm, we want Auto Sign in disabled, thus the admin setting SHOULD be checked. correct?

        Then from the individual user we also want their account preferences to have this disabled as well?

    • internal_eic's avatar
      internal_eic
      Contributor
      2 months ago

      Hi AdamN

      I'm facing the similar issue.

      The Turn-off Auto Sign-in checkbox is enabled in the Community Admin > System > Auto Signin / Cookies. If we clear it to generate both access token and refresh token, then will it have any impact?

       

  • AdamN's avatar
    AdamN
    Khoros Oracle
    4 months ago

    zachtines Thanks for flagging the conflicting information. Despite how the setting is named, it appears the documentation is actually correct... Having the setting unchecked will allow a refresh token to be generated. I'll flag this for our product and docs team to see if we can improve this.

    I would give that a try first, and if it's still not working for your individual user account, you would normally find it under My Settings > Personal > Auto-Signin Options

    • zachtines's avatar
      zachtines
      Contributor
      4 months ago

      Hey AdamN thanks for the clarification!

      Regarding the personal settings path, This doesn't seem to be available under the account in question whom of which is also a Khoros Community Admin. Under Mysettings > Personal we only have the following options:

      Username, Email, Personal Information, Likes Weight Override, and Close Account