question

Upvotes
Accepted
16 0 3 7

OAuth2 does not work with refresh_token in RDP

Hello,

We are using RDP to fetch news (/data/news/v1). We use OAuth2 to authenticate (https://api.refinitiv.com/auth/oauth2/v1/token) using a username/password at first and then the refresh_token we get from the response. We realized that after the actual token expiration we cannot retrieve a new one using the refresh_token because we get {"error":"invalid_grant"}. It seems like the refresh token expires before or exactly the time when the actual token expires making it impossible to get new token. Can you please investigate the issue from you side?


rdp-apiauthenticationtokenoauth
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
Accepted
56k 145 45 65

@pevangelidis

I may relate to the token policy associated with your account.

I checked with my machine. I can use the refresh_token grant type after 10 minutes.

1666079958333.png

As I know, there is a strict token policy that the refresh token will expire in 10 minutes. As mentioned by my colleagure, you can contact your Refinitiv account team to verify which the token policy is associated with your account.


1666079958333.png (56.7 KiB)
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
17.2k 47 13 19

Hi @pevangelidis,

Have you tried the quickstart and tutrorials for RDP. There are samples in Python , Java, Postman which you can try and get familiar with the API.

When you use Refresh token, please ensure that grant type is not password

{
    "refresh_token": refreshToken,
    "username": USERNAME,
    "grant_type": "refresh_token"
}
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
16 0 3 7

Hello @Gurpreet ,

Thank you for the response! I saw the tutorial and have the following remarks:

  • Although in the documentation you mention that username is only used for password_grand, in the examples you also use it with refresh_token as well (refresh_token=****&username=****&grant_type=refresh_token). This does not seem compliant with OAuth 2.0 specification and of course causes issues to us who use a standard library for authorization (https://github.com/golang/oauth2). Could you please update either the documentation or the examples?1666014558523.png
  • The issue still persists. The flow is the following:
  • username=****&password=****&grant_type=password&scope=trapi -> we get a correct token and works for our requests
  • 10 minutes pass
  • grant_type=refresh_token&refresh_token=****&username=**** -> {"error":"invalid_grant" }

I can reproduce the error both in my golang code and with simple curl requests. Let me know if you want any more information from me.

Thank you in advance.


1666014558523.png (23.6 KiB)
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
17.2k 47 13 19

Hi @pevangelidis,

I checked the API and the username is not required for the refresh grant. I will update the mistake in the tutorial. Before we start debugging your credentials, can you please download the python samples, and see if you are able to get access and renew using refresh token.

Instructions on running the sample are provided in the quickstart tab.

>>> python rdpToken.py
Getting OAuth access token...
Getting a new token using Password Grant...
Read credentials from file
Saving the new token
Received an access token


>>> python rdpToken.py
Getting OAuth access token...
Existing token read from: token.txt
Token expired, refreshing a new one...
Read credentials from file
Saving the new token
Received an access token
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
16 0 3 7

Hi @Gurpreet ,

Thank you for the python script it seems very useful for debugging! Here is the output:

$ python rdpToken.py
Getting OAuth access token...
Getting a new token using Password Grant...
Saving the new token
Received an access token
$ python rdpToken.py
Getting OAuth access token...
Existing token read from: token2.txt
Received an access token

After 5 to 10 minutes:

$ python rdpToken.py
Getting OAuth access token...
Existing token read from: token2.txt
Token expired, refreshing a new one...
Refresh token expired, using Password Grant...
Saving the new token
Received an access token

It seems like the refresh token is not long lived and expires with the access token. It means that we can never use a refresh token but only username/password which is not safe.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
17.4k 34 12 12

Hello @pevangelidis

Based on the Limitations and Guidelines for the RDP Authentication Service article, the Refresh Token can expire in 15 minutes and can be extended (by using the refresh grant type request) to the next 15 minutes, but not exceed 18 hours.

However, your test result shows that the Refresh Token expired in 5 to 10 minutes only.

I highly recommend you contact your Refinitiv representative to verify your RDP account permission.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
16 0 3 7

Hi @Gurpreet ,

Thank you for the python script it seems very useful for debugging! Here is the output:

  
                
  1. $ python rdpToken.py
  2. Getting OAuth access token...
  3. Getting a new token using Password Grant...
  4. Saving the new token
  5. Received an access token
  
                
  1. $ python rdpToken.py
  2. Getting OAuth access token...
  3. Existing token read from: token2.txt
  4. Received an access token

After 5 to 10 minutes:

  
                
  1. $ python rdpToken.py
  2. Getting OAuth access token...
  3. Existing token read from: token2.txt
  4. Token expired, refreshing a new one...
  5. Refresh token expired, using Password Grant...
  6. Saving the new token
  7. Received an access token

It seems like the refresh token is not long lived and expires with the access token. It means that we can never use a refresh token but only username/password which is not safe.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.