HMRC have just sent an email to developers talking about the use of refresh tokens (which has been discussed on AWeb). I thought it might be useful to list the three main problems as HMRC see it as if anyone still is having problems with this they may be able to work out where the problem lies.
These are HMRC's three reasons for refresh going wrong:
User Credentials Reset: The end-user has reset their Government Gateway password or changed the Multifactor Authentication device associated with their account. This causes exiting grants to be invalidated. This is far more common than we were expecting and could well be down to credential sharing/resets on shared accounts.
- Multiple Requests with Same Token: This is mainly occurring when more than one request to refresh the same token is received within a few milliseconds of each other. One refresh will succeed, but the other will fail.
- Not Storing the latest Refresh Token: A new refresh token is provided each time a refresh token is used. Please ensure that you are accurately recording the latest refresh token. This coupled with multiple requests with the same refresh token can mean that one refresh gets through and succeeds, while the other fails and your software ends up persisting a now expired refresh token.
I think the issue about user credentials being reset is worth being aware of, but I think the main problem people are getting arises probably from overlapping token refreshing.
If anyone wants any direct help with this I am happy to help at [email protected]