Cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Refresh Token is invalid for users even though access token still works

I am having a user in my app whose access token is valid but refresh token when trying to refresh the token, the API says its invalid. How is this possible ? 

 

Best Answer
36 REPLIES 36

@Pushparaj Then you're probably using an old refresh token. Were you able to successfully store the new refresh token the last time you refreshed the user's access token?

 

If possible, I would have the user revoke access to your app and then re-authenticate.

Andrew | Community Moderator, Fitbit

What motivates you?

Best Answer
0 Votes

Hi,

Yeah the access token and refresh token were stored together and there is no way that the access token got refreshed and stored and the refresh token didnt. Both were generated at the same time. 

Best Answer

I believe I am seeing the same issue. In extremely rare cases (approximately 0.04%) when we try to get new tokens, we get an invalid_grant error saying the refresh token is bad. I have logged the first few characters of the token and can verify that we are using the most recently obtained refresh token.

Best Answer

I'm having a similar issue in that I have a refresh_token but when I use it, it's telling me it has expired.

 

I don't get the invalid_grant error as I don't try and use it more than once.

 

Any ideas?

Best Answer
0 Votes

The refresh token cannot be used more than once. We are getting the `invalid_grant` issue the first time it's used. We have tens of thousands of connected consumers and the failure happens only about 0.04% of the time.

Best Answer
0 Votes

If you PM me your client IDs with specific examples of users, then I can look into it. Also would be good to know when/how often this occurs.

Andrew | Community Moderator, Fitbit

What motivates you?

Best Answer
0 Votes

We are seeing the issue since last few days. Everything was working correctly for 3-4 months, but since last week, we have started getting Refresh token invalid error. This happens sporadically, generally after a few hours of authentication. I have verified that we are using latest Refresh token and only using it once. 

 

What I don't understand is, how does work for a few hours and then suddenly stop working. This makes it very difficult to debug.

Best Answer
0 Votes

In the past couple of weeks we're experiencing a lot of Refresh token invalid problems. Can someone escalate this issue. The fitbit api and our system has been running without problems for 6 months until 2 weeks ago. 

Best Answer

@SteveWT @rohanj I've sent you both PMs asking for more information.

Best Answer
0 Votes

@DavidSFitbit wrote:

@SteveWT @rohanj I've sent you both PMs asking for more information.


@DavidSFitbit we've started seeing this issue happen in our app as well, would you be able to help us troubleshoot? Are there any signs this is a wider, API issue?

Best Answer

It sounds like I am also facing the same issue.

 

I sometimes get sometimes this error with my Fitbit account. But each time I tried to run the code that renews the refresh token it worked (I launched it multiple times).

 

Is it fixed for all of you that were impacted by this issue?

 

In our integration code, we assume that this error occurs only when the user revoked our authorization to access his Fibit account, so we detach its Fitbit account from our application. Each time this error occurs we lose a Fitbit account. Smiley Sad

 

Should we do that in our integration? What else can we do? As far as you have an invalid refresh token, you will no longer be able to get a new valid refresh token or a new valid access token. Unless if the renew refresh token web service is not fully reliable, in this case a retry may work?

 

Thanks!

Best Answer
0 Votes

We are still seeing the issue here. It happens extremely rarely (we lose just a few customers a day out of tens of thousands, less than 0.01% (i.e. less than 1 in 10,000).

 

I tested disconnecting via Fitbit but was some time ago so I don't remember exactly what happens but it was not the invalid_grant error.

 

As AndrewFitbit requested in March, I sent some examples but have not heard back yet. It does seem to be happening less often now than it used to. I may just have more accurate data now, though. In the meantime, we disconnected several thousand consumers that were in this broken state and we now automatically disconnect consumers who no longer have access to our software.

 

We are unwilling to automatically disconnect consumers as a result of this error since it can also be caused by a misconfiguration of the api key and secret.

Best Answer
0 Votes

Thanks @rossiam for your answer.

 

I noticed this happens only with accounts we use to test the Fitbit integration. We have multiple test environments in addition to the production one and all of them use the same Fitbit dev account (maybe we should not ?).

 

While I am connected to only one environment, it works. But as soon as I connect my account to another environment, I get this issue (not always at the first refresh but it always ends up happening).

 

When I revoke the access to our application from the Fitbit account manager and I reconnect it, I do not have the issue. It sounds like the authorization revocation clears everything associated to the account.

 

I don't know why using the same Fitbit account in multiple environments could cause this issue. Maybe because there are multiple valid refresh tokens associated to the same Fitbit account and client application that are sometimes renewed? As far as I know, this should be possible.

 

And I just come to test what happens when I revoke the authorization to our application. I get a 400 status code with the following body:

{"errors":[{"errorType":"invalid_grant","message":"Refresh token invalid: {myRefreshToken}. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process."}],"success":false}

It is the reason why we chose to disconnect the consumer. Indeed, as soon as the refresh token is invalid, how can we have a chance to get another valid one?

 

But you are right, I did not think about a misconfiguration regarding the API key and secrets. In this case we would disconnect all of our customers. I am going to think about this question...

 

Have a good day!

Best Answer
0 Votes

We are still experiencing this issue. I don't think its the result of the user disconnecting from our app because it would also remove the subscriptions.

Best Answer
0 Votes

@sparkwatson, you are right, according to my tests I can confirm that when you revoke the authorization it removes the subscriptions. If it was not the case, you would continue to receive some informations from Fitbit.

Moreover, I could easily reproduce this issue with my account (by using my account in multiple environments as described above) without revoking the authorization.

To sum-up, we receive the same error message as if the user has revoked the authorization but it is not the case.

Best Answer
0 Votes

We would go days without a refresh token issue, now we're seeing about the same error rate as you (rossiam).

I came across this thread just now because ...

Our support team just approached me and said they are now sending a number of emails a day, every day, to have our customers re-authorize our application with Fitbit because Fitbit reported their refresh token was invalid. This looks to have started in/around early July, per my logs -- months after our last change to our Fitbit interface (which was just for logging).

Best Answer

I am still looking for a workaround. I was wondering whether there is any chance it can work if we immediately retry to refresh the token when we get this error. Did someone test this idea?

Best Answer
0 Votes

We pause for 2 seconds and then try one more time.  I didn't see in our logs where this was successful.

Best Answer
0 Votes

Indeed, I tried this tip and I got the same result in the second call. Smiley Sad

 

Could someone from Fitbit could help us fix this issue?

Best Answer