Refresh token grant errors with redis operational store

[prasad1210]

IdentityServer version

7.0.5

.NET version

8

Description

We are using redis as a operational store for our identity server implementation and are seeing below errors. Any suggestions on what could be the probable root cause?

[Duende.IdentityServer.Contrib.RedisStore.Stores.PersistedGrantStore] "<>" found in database: False
[Duende.IdentityServer.Stores.DefaultRefreshTokenStore] "refresh_token" grant with value: "<>" not found in store.

We've set the refresh below parameters for the client configuration:
"RefreshTokenUsage": "1",
"RefreshTokenExpiration": "1",
"AccessTokenLifetime" : "900",

Default 30 days token lifetime has been used for RefreshToken.

Reproduction steps

No specific steps to reproduce this issue. Happens randomly.

Expected behavior

No response

Logs

No response

Additional context

No response

[RolandGuijt]

Does this also occur when not using RedisStore?
If so: can you please share the complete client configuration and the code around how the client is configured?
If not please create an issue in the GitHub project. The project has "Duende" in its name but it's not maintained by us.

[prasad1210]

Thanks for the prompt response. We have not tried reproducing the same scenario without RedisStore. Here's the client configuration. { "ClientId": "<<clientId>>", "AllowedGrantTypes": [ "authorization_code" , "password" ], "RequirePkce": "true", "RequireClientSecret": "false", "AllowAccessTokensViaBrowser": "true", "AllowOfflineAccess": "true", "RequireConsent": "false", "AlwaysIncludeUserClaimsInIdToken": "true", "RefreshTokenUsage": "1", "RefreshTokenExpiration": "1", "AccessTokenLifetime" : "900", "AllowedScopes": [ "openid", "profile" ], "RedirectUris": [ "<<redirectUris>>" ], "PostLogoutRedirectUris": [ "<<postLogoutRedirectUris>>" ], "UpdateAccessTokenClaimsOnRefresh": "true" },

…

On Wed, Apr 2, 2025 at 3:08 PM RolandGuijt ***@***.***> wrote: Does this also occur when not using RedisStore? If so: can you please share the complete client configuration and the code around how the client is configured? If not please create an issue in the GitHub project <https://github.com/safe-fleet/Duende.IdentityServer.Contrib.RedisStore>. The project has "Duende" in its name but it's not maintained by us. — Reply to this email directly, view it on GitHub <#144 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADLVPK5PF5MDIESFTIV5YW32XOVZVAVCNFSM6AAAAAB2I3KACOVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTENRZHA2TCNA> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>

[prasad1210]

We were able to reproduce this issue when we had more than 1 tab open for the same user in single browser instance. Is it that when 2 tabs are open, the 2nd tab uses refresh token from the first tab, to renew the access token? and then when first tab tries to renew the token using his older refresh token, it is not found in redis store [since we have kept refreshTokenUsage as OneTime]?

[RolandGuijt]

It depends on how the tokens are stored.
Is the client using ASP.NET Core? If so in the OpenID Connect handler, is SaveTokens set to true? In that case the refresh token is stored in the session cookie and both tabs use the same cookie.
To be able to help you further we have to rule out that redisstore NuGet package is the problem. Can you please try this without it?

[prasad1210]

We probably figured out the root cause of the issue. It was happening when same user opens the client in 2 tabs in same browser instance. i.e. if user opens tab 01, Access token A1 and Refresh Token R1 was issued to it. When he opened tab 02, refresh token R1 was being sent to get new Access token A2 and Refresh Token R2. Now, when tab 01 access token A1 was nearing expiry, it was making a call with same refresh token R1 to get new tokens. However, since we had "RefreshTokenUsage" set to OneTime, that token was already consumed. Hence, we were getting "invalid_grant" errors on first tab.