The Refresh Token Request Error Messages in the Login Audit Trail

The following table lists errors that are visible in Detail column of the Login Audit Trail Results.

Problem	Refresh Token Request	Resolution
The refresh token is expired.	RefreshTokenExpired	Use the refresh token to get a new access token. If the refresh token is expired, initiate the authorization code grant flow to get a new pair of tokens. For more information, see OAuth 2.0 Authorization Code Grant Flow.
At least one of the following is invalid: Entity Contact Role	EntityOrRoleDisabled	Verify that the entity, contact, or role exists in the account.
The signature is invalid.	InvalidSignature	Ensure that you use the correct public key for token validation. For more information, see OAuth 2.0 Access and Refresh Token Structure. Warning: Invalidity of issuer or signature may be caused by cross-site request forgery (CSFR) attacks. To ensure that your application is safe, follow the OAuth 2.0 specification. For more information, see RFC6749 Section 10.12.
The integration application ID is invalid.	InvalidIntegration	Verify that the corresponding integration record exists in the account.
The integration application has empty scope or the scope in the token does not match the scope in the integration record.	ScopeMismatched	Ensure that either the RESTlets or REST Web Services box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.
The integration application does not use OAuth 2.0.	AuthorizationCodeGrantRequired	Ensure that the Authorization Code Grant box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.
The scope value is empty in the token.	InvalidScope	Ensure that the structure of the access token is correct. For more information, see OAuth 2.0 Access and Refresh Token Structure.
Role or entity is inactive.	EntityOrRoleDisabled	Verify that the entity or role is active in the account.
Client ID or client secret is invalid.	ClientAuthenticationFailed	Ensure that you use the correct values of the client ID and client secret for the corresponding integration record.
The value of the grant type parameter is invalid or wrong.	InvalidGrantType	Ensure that the grant type value used is the correct one in the corresponding step of the authorization code grant flow. For more information, see OAuth 2.0 Authorization Code Grant Flow.
The application attempted the refresh token request with an access token.	InvalidRefreshToken	Ensure that the application uses the access token for accessing RESTlets and REST web services, and the refresh token for the refresh token POST request. For more information, see Refresh Token POST Request to the Token Endpoint.
The OAuth 2.0 feature is not enabled in the account.	FeatureDisabled	See Enable the OAuth 2.0 Feature.
The integration record is blocked.	IntegrationBlocked	Ensure that the value of the State field is set to Enabled on the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.
The header of a token is missing a value for the kid parameter.	MissingKeyId	Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.
The value of the kid parameter in a token header does not match any valid certificate.	MissingKey	Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.
The value of the nonce parameter is set up incorrectly, or the token is issued in the future.	TokenNotAcceptable	Ensure that the token time validity is set up correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Problem

Refresh Token Request

Resolution

The refresh token is expired.

RefreshTokenExpired

Use the refresh token to get a new access token. If the refresh token is expired, initiate the authorization code grant flow to get a new pair of tokens. For more information, see OAuth 2.0 Authorization Code Grant Flow.

At least one of the following is invalid:

Entity
Contact
Role

EntityOrRoleDisabled

Verify that the entity, contact, or role exists in the account.

The signature is invalid.

InvalidSignature

Ensure that you use the correct public key for token validation. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Warning:

Invalidity of issuer or signature may be caused by cross-site request forgery (CSFR) attacks. To ensure that your application is safe, follow the OAuth 2.0 specification. For more information, see RFC6749 Section 10.12.

The integration application ID is invalid.

InvalidIntegration

Verify that the corresponding integration record exists in the account.

The integration application has empty scope or the scope in the token does not match the scope in the integration record.

ScopeMismatched

Ensure that either the RESTlets or REST Web Services box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

The integration application does not use OAuth 2.0.

AuthorizationCodeGrantRequired

Ensure that the Authorization Code Grant box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

The scope value is empty in the token.

InvalidScope

Ensure that the structure of the access token is correct. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Role or entity is inactive.

EntityOrRoleDisabled

Verify that the entity or role is active in the account.

Client ID or client secret is invalid.

ClientAuthenticationFailed

Ensure that you use the correct values of the client ID and client secret for the corresponding integration record.

The value of the grant type parameter is invalid or wrong.

InvalidGrantType

Ensure that the grant type value used is the correct one in the corresponding step of the authorization code grant flow. For more information, see OAuth 2.0 Authorization Code Grant Flow.

The application attempted the refresh token request with an access token.

InvalidRefreshToken

Ensure that the application uses the access token for accessing RESTlets and REST web services, and the refresh token for the refresh token POST request. For more information, see Refresh Token POST Request to the Token Endpoint.

The OAuth 2.0 feature is not enabled in the account.

FeatureDisabled

See Enable the OAuth 2.0 Feature.

The integration record is blocked.

IntegrationBlocked

Ensure that the value of the State field is set to Enabled on the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

The header of a token is missing a value for the kid parameter.

MissingKeyId

Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.

The value of the kid parameter in a token header does not match any valid certificate.

MissingKey

Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.

The value of the nonce parameter is set up incorrectly, or the token is issued in the future.

TokenNotAcceptable

Ensure that the token time validity is set up correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure.

Related Topics