This article explains the error that occurs when a session cannot be renewed because the provided refresh token is no longer valid.

The following error message is displayed:

{"error":"invalid_grant","error_description":"The refresh token is invalid or expired."}

• Refresh tokens
• System logs
• Token exchange
• Session management

This error occurs because the refresh token has expired, was previously used in a rotation scenario, or was revoked by the authorization server.

The developer must identify the specific behavior in the System Log and adjust the application or policy configuration.

1. Go to Reports > System Log.

2. Search for the failure event using the following query to confirm if the token is invalid:

   (eventType eq "app.oauth2.as.token.grant" OR eventType eq "app.oauth2.token.grant") AND outcome.reason eq "invalid_refresh_token"

3. Review the Refresh Token Expiration Behavior to understand how different configurations affect token validity.

4. If the behavior is expected based on current policies, require a new primary authentication to obtain a new set of tokens.

   1. Go to the sign-in page.

   2. Ensure the application receives and stores the new refresh token for future use.

5. If the behavior is not expected, modify the application code or the Authorization Server (AS) policy settings to extend the lifetime or change the rotation requirements.