Merge pull request #1028 from supertokens/fix/oauth-refresh-token-bug

fix: return the proper response when the OAuth2 refresh token is invalid

Author: porcellus

CHANGELOG.md

@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Fix WebAuthn credential listing and removal to work even when the WebAuthn user is not the primary user and when there are multiple WebAuthn users linked
 -   Prevent removal of WebAuthn credentials unless all session claims are satisfied
 -   Change how sessions are fetched before listing, removing and adding WebAuthn credentials
+-   Fix the OAuth2Provider `tokenExchange` error message when the refresh token is expired
 
 ## [23.0.0] - 2025-07-21
 

lib/build/recipe/oauth2provider/recipeImplementation.js

@@ -471,6 +471,16 @@ export default function getRecipeInterface(
                     return tokenInfo;
                 }
 
+                if (!tokenInfo.active) {
+                    return {
+                        status: "ERROR",
+                        statusCode: 400,
+                        error: "invalid_grant",
+                        errorDescription:
+                            "The provided refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
+                    };
+                }
+
                 if (tokenInfo.active === true) {
                     const sessionHandle = tokenInfo.sessionHandle as string;