I fail to get an OAuth 2.0 refresh token

Still need help?

The Atlassian Community is here for you.

Ask the community

It may happen that when you’re configuring your integration with an external system through OAuth 2.0 you’ll get an error message in your application logs similar to the following one:

Error occurred while authorizing an integration. The error message is: Refresh token is not present and access token lifetime is too short.

Atlassian DC applications expect either long-lived access tokens, or short-lived access tokens coupled with refresh tokens, which can be used to continue being authorized with the third party resource server. According to the error message, neither was provided by the OAuth server. The reason why the refresh token was not issued may depend on the OAuth provider & its custom protocol implementation.

Read on to see how you can troubleshoot your issue.

Troubleshooting connection with Google

When connecting your Atlassian product with Google services through OAuth 2.0, make sure to use the dedicated provider type.

The reason behind it is that Google authorisation servers require specific authorisation parameters which must be used in order for the server to issue a refresh token.

Click for technical details...

Firstly, the prompt header of an OAuth request must include the value consent. In comparison, the default used by the Custom provider type is select_account. Secondly, a custom parameter access_type must be set to value offline.

Because the parameters or their values are specific to Google as an OAuth 2.0 vendor, they are not sent by the Custom provider type.

Read more

Troubleshooting connection with Microsoft

When connecting your Atlassian product with the Microsoft identity platform through OAuth 2.0, a custom scope offline_access must be used in the authorisation request in order for the server to issue a refresh token.

The scope is automatically appended if you select ‘Microsoft’ as the provider type when configuring your integration.

Read more

Troubleshooting connection with other provider

There are other providers which, similarly to the Microsoft identity platform, require the offline_access scope in order to issue refresh tokens. Try adding the scope and then testing your integration to see if the problem gets resolved.

The system property atlassian.oauth2.client.minimum.access.token.only.lifetime.days may be used on Atlassian product’s side to fine-tune the minimum required lifetime of an access token, should the OAuth server not issue a refresh token. The value is configurable in days, and defaults to 30.

Further assistance

Unfortunately, vendors come with varying implementations of the OAuth 2.0 protocol. In some cases the ‘flavour’ of OAuth may have requirements which are not part of any standard, making it difficult to connect to without custom logic. In such cases it might be challenging to integrate with such systems using the Custom provider type. If you need further assistance, contact Atlassian Support or create a feature request or report a bug in the Atlassian OAuth 2.0 project in Jira.

Last modified on Jul 9, 2020

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.