Skip to content

Cannot pass JWT refresh token as an argument

I’m trying to get a new access token using a refresh token in Spring Boot with OAuth2. It should be done as following: POST: url/oauth/token?grant_type=refresh_token&refresh_token=....

It works fine if I’m using InMemoryTokenStore because the token is tiny and contains only digits/letters but right now I’m using a JWT token and as you probably know it has 3 different parts which probably are breaking the code.

I’m using the official migration guide to 2.4.

When I try to access the URL above, I’m getting the following message:

    "error": "invalid_token",
    "error_description": "Cannot convert access token to JSON"

How do I pass a JWT token in the params? I tried to set a breakpoint on that message, so I could see what the actual argument was, but it didn’t get to it for some reason.

 * The Authorization Server is responsible for generating tokens specific to a client.
 * Additional information can be found here:
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    private String clientId;

    private String clientSecret;

    private int accessTokenValidity;

    private int refreshTokenValidity;

    private ClientDetailsService clientDetailsService;

    private AuthenticationManager authenticationManager;

    private BCryptPasswordEncoder bCryptPasswordEncoder;

    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
                .authorizedGrantTypes("password", "authorization_code", "refresh_token")
                .scopes("read", "write", "trust")

    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

    public UserApprovalHandler userApprovalHandler() {
        ApprovalStoreUserApprovalHandler userApprovalHandler = new ApprovalStoreUserApprovalHandler();
        userApprovalHandler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
        return userApprovalHandler;

    public TokenStore tokenStore() {
        JwtTokenStore tokenStore = new JwtTokenStore(accessTokenConverter());
        return tokenStore;

    public JwtAccessTokenConverter accessTokenConverter() {
        final RsaSigner signer = new RsaSigner(KeyConfig.getSignerKey());

        JwtAccessTokenConverter converter = new JwtAccessTokenConverter() {
            private JsonParser objectMapper = JsonParserFactory.create();

            protected String encode(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
                String content;
                try {
                    content = this.objectMapper.formatMap(getAccessTokenConverter().convertAccessToken(accessToken, authentication));
                } catch (Exception ex) {
                    throw new IllegalStateException("Cannot convert access token to JSON", ex);
                Map<String, String> headers = new HashMap<>();
                headers.put("kid", KeyConfig.VERIFIER_KEY_ID);
                return JwtHelper.encode(content, signer, headers).getEncoded();
        converter.setVerifier(new RsaVerifier(KeyConfig.getVerifierKey()));
        return converter;

    public ApprovalStore approvalStore() {
        return new InMemoryApprovalStore();

    public JWKSet jwkSet() {
        RSAKey.Builder builder = new RSAKey.Builder(KeyConfig.getVerifierKey())
        return new JWKSet(;




I assume that the Cannot convert access token to JSON might have been due to incorrectly pasted token.

As for Invalid refresh token, it occurs because when JwtTokenStore reads the refresh token, it validates the scopes and revocation with InMemoryApprovalStore. However, for this implementation, the approvals are registered only during authorization through /oauth/authorize URL (Authorisation Code Grant) by the ApprovalStoreUserApprovalHandler.

Especially for the Authorisation Code Grant (authorization_code), you want to have this validation, so that the refresh token request will not be called with an extended scope without the user knowledge. Moreover, it’s optional to store approvals for future revocation.

The solution is to fill the ApprovalStore with the Approval list for all resource owners either statically or dynamically. Additionally, you might be missing setting the user details service endpoints.userDetailsService(userDetailsService) which is used during the refresh process.


You can verify this by creating pre-filled InMemoryApprovalStore:

public ApprovalStore approvalStore() {
    InMemoryApprovalStore approvalStore = new InMemoryApprovalStore();
    Date expirationDate = Date.from(;
    List<Approval> approvals = Stream.of("read", "write", "trust")
            .map(scope -> new Approval("admin", "trusted", scope, expirationDate,
    return approvalStore;

I would also take a look at implementing it in the storeRefreshToken()/storeAccessToken() methods of JwtTokenStore, as they have an empty implementation, and the method parameters contain all the necessary data.

User contributions licensed under: CC BY-SA
4 People found this is helpful