I fail to get an OAuth 2.0 refresh token
It may happen that when you’re configuring your integration with an external system through OAuth 2.0 you’ll get an error message in your application logs similar to the following one:
Error occurred while authorizing an integration. The error message is: Refresh token is not present and access token lifetime is too short.
Atlassian DC applications expect either long-lived access tokens, or short-lived access tokens coupled with refresh tokens, which can be used to continue being authorized with the third party resource server. According to the error message, neither was provided by the OAuth server. The reason why the refresh token was not issued may depend on the OAuth provider & its custom protocol implementation.
Read on to see how you can troubleshoot your issue.
Troubleshooting connection with Google
When connecting your Atlassian product with Google services through OAuth 2.0, make sure to use the dedicated provider type.
The reason behind it is that Google authorisation servers require specific authorisation parameters which must be used in order for the server to issue a refresh token.
prompt header of an OAuth request must include the value
consent. In comparison, the default used by the Custom provider type is
select_account. Secondly, a custom parameter
access_type must be set to value
Because the parameters or their values are specific to Google as an OAuth 2.0 vendor, they are not sent by the Custom provider type.
Troubleshooting connection with Microsoft
When connecting your Atlassian product with the Microsoft identity platform through OAuth 2.0, a custom scope
offline_access must be used in the authorisation request in order for the server to issue a refresh token.
The scope is automatically appended if you select ‘Microsoft’ as the provider type when configuring your integration.
Troubleshooting connection with other provider
There are other providers which, similarly to the Microsoft identity platform, require the
offline_access scope in order to issue refresh tokens. Try adding the scope and then testing your integration to see if the problem gets resolved.
The system property
atlassian.oauth2.client.minimum.access.token.only.lifetime.days may be used on Atlassian product’s side to fine-tune the minimum required lifetime of an access token, should the OAuth server not issue a refresh token. The value is configurable in days, and defaults to 30.
Unfortunately, vendors come with varying implementations of the OAuth 2.0 protocol. In some cases the ‘flavour’ of OAuth may have requirements which are not part of any standard, making it difficult to connect to without custom logic. In such cases it might be challenging to integrate with such systems using the Custom provider type. If you need further assistance, contact Atlassian Support or create a feature request or report a bug in the Atlassian OAuth 2.0 project in Jira.