RefreshToken expires on the same time like the AccessToken ?

Oct 11, 2013 at 9:59 AM
Hi,
i try to use the OAuthAuthorizationServer and everything looks good. The only thing is that the RefreshToken doesn't work like i would think about it.

For example i set the AccessTokenExpireTimeSpan to 5 Minutes within the OAuthAuthorizationServerOptions. After that 5 Minutes the Access Token expired like expected.

Then i try to get a new one with the Refresh Token but the only thing i get is an 400 because of invalid_grant.

That's because of this check within Owin.Security.OAuth.OAuthAuthorizationServerHandler.cs:
         if (!ticket.Properties.ExpiresUtc.HasValue ||
                ticket.Properties.ExpiresUtc < currentUtc)
            {
                _logger.WriteError("expired refresh token");
                validatingContext.SetError(Constants.Errors.InvalidGrant);
                return null;
            }
Now i don't know is this really expected, that i can only refresh the access_token within the AccessTokenExpireTimeSpan or am i doing something wrong?
Feb 19, 2014 at 10:10 PM
I've just discovered the same thing and am equally confused. I thought the idea behind refresh tokens was that they can be long-lived, unlike short-lived access tokens?
Feb 25, 2014 at 2:24 AM
I just discovered this as well! Is this a bug or are we going about the idea of refresh tokens the wrong way?
Jan 15, 2015 at 1:04 PM
Did you ever find a solution for the problem? Since a few days I discovered to have the same problem. I also tried to set the expiration time in the RefreshTokenProvider, but that didn't solve the problem.

if (context != null && context.Ticket != null && context.Ticket.Properties != null)
{
context.Ticket.Properties.ExpiresUtc = DateTime.Now.AddYears(1);
context.SetToken(context.SerializeTicket());
}