"Invalid Token!" error message when trying to refresh oauth token

Description
We have implemented oauth flow with zoom (https://marketplace.zoom.us/docs/guides/auth/oauth) and in general it works great. However, we are seeing that after a few days, the calls to refresh the oauth token start to fail and token can never be refreshed. Users are forced to re-authenticate with the app.

Error

We get this response:

{“reason”:“Invalid Token!”,“error”:“invalid_request”}

Note that it works for a few days at least for a user before it starts failing. We make sure to save the latest refresh token with each refresh. Decoding jwt token that we get back, it does not appear to be expired, etc.

Which App Type (OAuth / Chatbot / JWT / Webhook)?
Oauth

Which Endpoint/s?

We do a POST to:

https://zoom.us/oauth/token?grant_type=refresh_token&refresh_token=[....]

with Authentication header incuded.

How To Reproduce (If applicable)

N/A

Screenshots (If applicable)
N/A

Additional context

Refresh for the same user will succeed for some time and then will start failing eventually. There is no consistency as to how long it takes before it starts happening but it’s as little as a few days.

2 Likes

Hey @laimonas,

We have gotten no additional reports of refresh failing. I am guessing this could be an issue on your end with saving the latest refresh token.

Can you see if you have any failed database update logs when saving the new access token?

Thanks,
Tommy

We will try adding more logging around refreshing the tokens and see what we get. We will report back if anything changes, usually we can run into a case in a couple of days.

1 Like

Thanks @laimonas, please let me know! :slight_smile:

-Tommy

Just encountered the error again but of course logging was off … we adjusted the logging and deployed. Fingers crossed we will run into this soon enough :slight_smile:

Let us know when we can lend a hand @laimonas :slight_smile:

Hey all,

I’m observing the same error on token refresh on multiple Zoom accounts. Lots of tokens (different accounts) do refresh well, the error is not consistent.

@tommy @michael.harrington If that helps, I can send you account ids and redacted refresh tokens which result into “invalid_token” error.

Hey @hsintegration,

Yes, please send those details in a private message and we will take a look.

Thanks,
Tommy

Yes. I am also facing the same issue while refreshing a token.

I am not able to understand why zoom api generates new refresh_token, while getting access_token.
If application failed to store refresh_token(Assume for some reason), It leads to a faulty situation.
In this case end user has to do oAuth verification again.

Also , why 15 years expire time for refresh_token?
Anyway access_token would expire in 1 hour. And we need to get new refresh_token.

This is totally against the concept of refresh_token. refresh_token should not be changed while getting access_token.

Thanks,
JK

Hey @jk1,

Thanks for your feedback. We will take it into consideration.

The refresh token lasts for 15 years so you have a good amount of time to get a new access token if there is little user activity.

-Tommy

Hi @tommy

This is exactly what is happening for us as well. Please look into it asap. We are always storing a new refresh token. Once the user is authenticated we store the refresh token. And if we use that refresh token to generate access token it throws {“reason”:“Invalid Token!”,“error”:“invalid_request”}

But the same code in my development works. I’m not sure whats wrong with your API. Please get back to us asap.

Thanks in advance.

Hey @picktime,

Double check you are using the production key and secret in your production environment when setting the basic authorization header.

Thanks,
Tommy

Hi @tommy

We are pretty sure that we are sending the right client id and secret.

Whats exactly happening is refresh token is being generated when the user first connects to Zoom. Once he gets connected we are saving the refresh token and on the next api call when we are trying to generate a new access token with that refresh token it throws unauthorized error 401 {“reason”:“Invalid Token!”,“error”:“invalid_request”}.

Again we are pretty sure we are using the live client id and secret for the calls.

@tommy we are continuing to see this happen and had to put in a workaround: deleting user’s authorization and having them re-connect. It really leads to confusing experience.

I just sent you an example that we have logged when failure occurs. It includes the exact refresh token and the auth header. Hopefully that helps to narrow down where the issue is happening.

Hey @picktime, @laimonas,

We investigated this error, and for some people they were making GET request instead of POST request to refresh the token.

Can you both confirm you are making a POST request?

Thanks,
Tommy

Confirming that we are doing POST.

I would imagine if we did GET it would fail all the time? In our case it works, just not always. And we can confirm that we are not reusing the refresh token, on successful refresh, we store the new refresh token.

Hi @tommy

We confirm that we are not using GET. We are using only POST. It is working in development with dev client id & secret. It’s just not working in live. We are pretty sure that we are using live client id and secret and we are using POST. Everything seems to work except generating new access token with the latest refresh token. Can you please resolve this asap.

Ya. I understood refresh token lasts for 15 years. But as soon as access token expires, we need to store the latest refresh token. Eventually 15 years validity is not needed here.

Basically refresh token should not be generated every time while getting new access token.

I am trying to develop an OAuth app, and getting the error: { reason: 'Invalid Token!', error: 'invalid_request' }. When I initially get the access tokens and try to refresh them using refresh token (when the access token hasn’t expired), it works. The refreshed access token also works for API calls. But after a while (not sure how long) when I try to run the same refresh action, I get the above error.

1 Like

Hi @tommy,

We are experiencing a similar issue with our integration when using both production and development credentials. This issue doesn’t seem to consistently occur (it’s on a random basis) so it has been difficult to narrow down the culprit. We experienced this when we were using an OAuth gem (with Ruby) for the integration and got the same error when doing this with Postman manually., so our guess is Zoom isn’t recognizing the tokens we were originally provided in the request.

The only resolution we have for this is to ask our users to disconnect and reconnect their account, which isn’t acceptable and leads to a very poor UX. Please advise on anything we can do to possibly speed up this investigation.