Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

OAuth consumer installed multiple times -- can tokens be managed independently?

Andre Meira
Andre Meira December 23, 2022

I'm installing my OAuth consumer in my account several times. Each time I complete the installation process (https://developer.atlassian.com/cloud/bitbucket/rest/intro/#1--authorization-code-grant--4-1-) I get an acess token.

It seems that these tokens can be managed independently and refreshing one of them will not invalidate the others. I have tested refreshing one token and all the other tokens were still valid.

Can anyone confirm if this is really the intended behavior? I'm asking this because occasionally (only twice in a lot of tests) refreshing one of these multiple access tokens fails and I have no idea why.

Answer
Watch
Like Be the first to like this
600 views

1 answer

1 accepted

0 votes
Answer accepted
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 29, 2022

Hello @Andre Meira ,

Welcome to Atlassian Community!

In order for us to better understand the scenario you are testing, I'd like to ask for the following details : 

  • What is the grant type you are using ?
  • Could you please provide us with the sequence of API calls you are following to get the token and also refresh it? 
  • When you mentioned that refreshing one of these multiple tokens fails, what is the error you are receiving?

Thank you, @Andre Meira .

Patrik S

View More Comments
Andre Meira
Andre Meira January 3, 2023

Hello @Patrik S , thanks for your reply.

  1. I am using Authorization Code grant
  2. As per the documentation:
    1. Redirect the user to Bitbucket for authorization and use the OAuth code to request a token, as specified here -- https://developer.atlassian.com/cloud/bitbucket/rest/intro/#1--authorization-code-grant--4-1-
    2. Refresh the token as specified here -- https://developer.atlassian.com/cloud/bitbucket/rest/intro/#refresh-tokens
  3. I get a 400 Bad Request with the following error response
    {"error": "invalid_request", "error_description": "Invalid refresh_token"}

     

    In case it's not clear from my original question, I'm performing step 2.1 multiple times in the same user account. Each time I get back a different access/refresh token pair and it seems they can be managed independently without invalidating previous tokens.

Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 5, 2023

Hello @Andre Meira ,

Thank you for providing additional context!

The first time you access the authorization grant URL, you will be prompted to grant consent for that OAuth consumer to make requests on your account's behalf. Once you provide the consent, you will be redirected to the redirect_url configured in the OAuth consumer, with the Authorization code as part of this URL. 

1. This Authorization code can be used one-time only to exchange for an access token.

curl -X POST -u "client_id:secret" \ https://bitbucket.org/site/oauth2/access_token \ -d grant_type=authorization_code -d code={code}

2. You can get a new code by accessing the authorization grant URL again : 

https://bitbucket.org/site/oauth2/authorize?client_id={client_id}&response_type=code

3. Or directly get a new access token by using the refresh token that was included in the response of 1. :

curl -X POST -u "client_id:client_secret" https://bitbucket.org/site/oauth2/access_token -d grant_type=refresh_token -d refresh_token=<refresh_token>

Every time you exchange the code for an access token or use the refresh token to get a new access token, the access token will be different. However, the refresh token will be always the same. An access token expires in 2 hours, while the refresh_token has no expiration. Generating a new access token will not revoke the previous access tokens, and they will continue to expire after 2 hours of their creation. 

It's important to note though that if you change the scopes of your OAuth consumer, the previously generated access and refresh tokens will be revoked and the user will have to Authorize the app again. A new refresh token will be generated when you first exchange your new Authorization code for an access token. If you try to use the old refresh token after the Oauth scope change, you will get the "Invalid refresh token" error.

Hope that helps to clarify your questions!

Thank you, @Andre Meira ! 

Like
Andre Meira
Andre Meira January 6, 2023

Hi @Patrik S

Thanks for your reply it was very helpful!

The error I mentioned occurred during a period of heavy testing and it is possible that we changed the scopes of the OAuth consumer, which could have lead to the "Invalid refresh token" error.

In the meanwhile, we have finished testing, the use of the OAuth consumer has reached a "steady state" and we did not have any similar problems. So I believe the error occurred due to changes during testing.

Thanks again for the support.

Cheers!

Like Patrik S likes this
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 6, 2023

Hello @Andre Meira !

You're very welcome!

Happy to have been of some help :) Feel free to reach out to the community in case you have any other questions.

Thank you!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events