Refresh token - 400 code error
I've noticed that zitadel started to give 400 error code when refresh token is expired, is it true or mistake ? Because in common practice is using 401 when your tokens are expired
3 Replies
Hi @hypebeast18, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
(1) , (2) , (3) , (4) , (5) , (6) , (7) , (8) , (9)
I wasn't able to find a direct answer about ZITADEL's specific HTTP status codes for expired refresh tokens in the official documentation, here are some relevant sources:
1. Get Refresh Tokens : Shows the API endpoint for retrieving refresh tokens and their expiration details but doesn't specify error codes for expired tokens.
2. Discord message from @tyteen4a03 on 2024-09-18 : Discusses HTTP status code behavior where a team member mentions that HTTP 400 for incorrect credentials could be considered valid as it's perceived as a client error.
To learn more, see the sources I considered:
[1] Get Refresh Tokens
[2] Revoke Refresh Tokens
[3] OpenID Connect Endpoints in ZITADEL
[4] Discord message from @tyteen4a03 on 2024-09-18
[5] Invalid token
[6] [Bug]: Automatic silent token refresh not compatible with zitadel token invalidation
[7] Self hosted - ERROR Http response at 400 or 500 level
[8] Use a single token verifier in the auth middleware
[9] Discord message from @geo_space on 2024-03-24
Feel free to tag @Ask Inkeep with additional questions.
\
hey there!
401 is used when the server understands the request but denies access, in the case of an invalid or expired refresh token (which is an opaque string from the server's perspective) a 400 status code is correct, since the server does not recognize that string anymore.