OAuth2 does not work with refresh_token in RDP

Hello,

We are using RDP to fetch news (/data/news/v1). We use OAuth2 to authenticate (https://api.refinitiv.com/auth/oauth2/v1/token) using a username/password at first and then the refresh_token we get from the response. We realized that after the actual token expiration we cannot retrieve a new one using the refresh_token because we get {"error":"invalid_grant"}. It seems like the refresh token expires before or exactly the time when the actual token expires making it impossible to get new token. Can you please investigate the issue from you side?

Find more posts tagged with

authentication

token

oauth

rdp-api

Accepted answers

Jirapongse

@pevangelidis

I may relate to the token policy associated with your account.

I checked with my machine. I can use the refresh_token grant type after 10 minutes.

As I know, there is a strict token policy that the refresh token will expire in 10 minutes. As mentioned by my colleagure, you can contact your Refinitiv account team to verify which the token policy is associated with your account.

All comments

Gurpreet

Hi @pevangelidis,

Have you tried the quickstart and tutrorials for RDP. There are samples in Python , Java, Postman which you can try and get familiar with the API.

When you use Refresh token, please ensure that grant type is not password

{
    "refresh_token": refreshToken,
    "username": USERNAME,
    "grant_type": "refresh_token"
}

pevangelidis

Hello @Gurpreet ,

Thank you for the response! I saw the tutorial and have the following remarks:

Although in the documentation you mention that username is only used for password_grand, in the examples you also use it with refresh_token as well (refresh_token=****&username=****&grant_type=refresh_token). This does not seem compliant with OAuth 2.0 specification and of course causes issues to us who use a standard library for authorization (https://github.com/golang/oauth2). Could you please update either the documentation or the examples?
The issue still persists. The flow is the following:
username=****&password=****&grant_type=password&scope=trapi -> we get a correct token and works for our requests
10 minutes pass
grant_type=refresh_token&refresh_token=****&username=**** -> {"error":"invalid_grant" }

I can reproduce the error both in my golang code and with simple curl requests. Let me know if you want any more information from me.

Thank you in advance.

Gurpreet

Hi @pevangelidis,

I checked the API and the username is not required for the refresh grant. I will update the mistake in the tutorial. Before we start debugging your credentials, can you please download the python samples, and see if you are able to get access and renew using refresh token.

Instructions on running the sample are provided in the quickstart tab.

>>> python rdpToken.py
Getting OAuth access token...
Getting a new token using Password Grant...
Read credentials from file
Saving the new token
Received an access token


>>> python rdpToken.py
Getting OAuth access token...
Existing token read from: token.txt
Token expired, refreshing a new one...
Read credentials from file
Saving the new token
Received an access token

pevangelidis

Hi @Gurpreet ,

Thank you for the python script it seems very useful for debugging! Here is the output:

$ python rdpToken.py
Getting OAuth access token...
Getting a new token using Password Grant...
Saving the new token
Received an access token

$ python rdpToken.py
Getting OAuth access token...
Existing token read from: token2.txt
Received an access token

After 5 to 10 minutes:

$ python rdpToken.py
Getting OAuth access token...
Existing token read from: token2.txt
Token expired, refreshing a new one...
Refresh token expired, using Password Grant...
Saving the new token
Received an access token

It seems like the refresh token is not long lived and expires with the access token. It means that we can never use a refresh token but only username/password which is not safe.

wasin.w

Hello @pevangelidis

Based on the Limitations and Guidelines for the RDP Authentication Service article, the Refresh Token can expire in 15 minutes and can be extended (by using the refresh grant type request) to the next 15 minutes, but not exceed 18 hours.

However, your test result shows that the Refresh Token expired in 5 to 10 minutes only.

I highly recommend you contact your Refinitiv representative to verify your RDP account permission.

Jirapongse

@pevangelidis

I may relate to the token policy associated with your account.

I checked with my machine. I can use the refresh_token grant type after 10 minutes.

pevangelidis

Hi @Gurpreet ,

Thank you for the python script it seems very useful for debugging! Here is the output:

$ python rdpToken.pyGetting OAuth access token...Getting a new token using Password Grant...Saving the new tokenReceived an access token

$ python rdpToken.pyGetting OAuth access token...Existing token read from: token2.txtReceived an access token

After 5 to 10 minutes:

$ python rdpToken.pyGetting OAuth access token...Existing token read from: token2.txtToken expired, refreshing a new one...Refresh token expired, using Password Grant...Saving the new tokenReceived an access token

It seems like the refresh token is not long lived and expires with the access token. It means that we can never use a refresh token but only username/password which is not safe.

EXPLORE OUR SITES