Refresh Token Request Error Messages in the Login Audit Trail
The following table lists errors that are visible in the Detail column of the Login Audit Trail.
|
Problem |
Refresh Token Request |
Resolution |
|---|---|---|
|
The access token is expired. |
RefreshTokenExpired |
Use the refresh token to get a new access token. If the refresh token is expired, initiate the authorization code grant flow to get a new pair of tokens. For more information, see OAuth 2.0 Authorization Code Grant Flow. |
|
At least one of the following is invalid:
|
EntityOrRoleDisabled |
Verify that the entity, contact, or role exists in the account. |
|
The signature is invalid. |
InvalidSignature |
Ensure that you use the correct certificate for token validation. For more information, see OAuth 2.0 Token Structure and Certificate Rotation.
Warning:
Invalidity of issuer or signature may be caused by cross-site request forgery (CSFR) attacks. To ensure that your application is safe, follow the OAuth 2.0 specification. For more information, see RFC6749 Section 10.12. |
|
The integration application ID is invalid. |
InvalidIntegration |
Verify that the corresponding integration record exists in the account. |
|
The integration application does not use OAuth 2.0. |
AuthorizationCodeGrantRequired |
Ensure that the Authorization Code Grant box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications that Use NetSuite as OIDC Provider for Outbound Single Sign-on. |
|
The scope value is empty in the token. |
InvalidScope |
Ensure that the structure of the access token is correct. For more information, see OAuth 2.0 Token Structure and Certificate Rotation. |
|
Role or entity is inactive. |
EntityOrRoleDisabled |
Verify that the entity or role is active in the account. |
|
Client ID or client secret is invalid. |
ClientAuthenticationFailed |
Ensure you use the correct values of the client ID and client secret for the corresponding integration record. |
|
The value of the grant type parameter is invalid or wrong. |
InvalidGrantType |
Ensure that the grant type value used is the correct one in the corresponding step of the authorization code grant flow. For more information, see OAuth 2.0 Authorization Code Grant Flow. |
|
The application attempted the refresh token request with an access token. |
InvalidRefreshToken |
Ensure that the application uses the access token for accessing RESTlets and REST web services, and the refresh token for the refresh token POST request. For more information, see Refresh Token POST Request to the Token Endpoint. |
|
The NetSuite as OIDC Provider feature is not enabled in the account. |
FeatureDisabled |
|
|
The integration record is blocked. |
IntegrationBlocked |
Ensure that the value of the State field is set to Enabled on the corresponding integration record. For more information, see Create Integration Records for Applications that Use NetSuite as OIDC Provider for Outbound Single Sign-on. |
|
The header of a token is missing a value for the kid parameter. |
MissingKeyId |
Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure. |
|
The value of the kid parameter in a token header does not match any valid certificate. |
MissingKey |
Ensure that you set up your token correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure. |
|
The value of the nonce parameter is set up incorrectly, or the token is issued in the future. |
TokenNotAcceptable |
Ensure that the token time validity is set up correctly. For more information, see OAuth 2.0 Access and Refresh Token Structure. |