Refresh Token Request Error Messages in the Login Audit Trail

The following table lists errors that are visible in the Detail column of the Login Audit Trail.

Problem	Refresh Token Request	Resolution
The access token is expired.	RefreshTokenExpired	Use the refresh token to get a new access token. If the refresh token is expired, initiate the authorization code grant flow to get a new pair of tokens. For more information, see OAuth 2.0 Authorization Code Grant Flow.
At least one of the following is invalid: Entity Contact Role	EntityOrRoleDisabled	Verify that the entity, contact, or role exists in the account.
The signature is invalid.	InvalidSignature	Ensure that you use the correct certificate for token validation. For more information, see OAuth 2.0 Token Structure and Certificate Rotation. Warning: Invalidity of issuer or signature may be caused by cross-site request forgery (CSFR) attacks. To ensure that your application is safe, follow the OAuth 2.0 specification. For more information, see RFC6749 Section 10.12.
The integration application ID is invalid.	InvalidIntegration	Verify that the corresponding integration record exists in the account.
The integration application does not use OAuth 2.0.	AuthorizationCodeGrantRequired	Ensure that the Authorization Code Grant box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications that Use NetSuite as OIDC Provider for Outbound Single Sign-on.
The scope value is empty in the token.	InvalidScope	Ensure that the structure of the access token is correct. For more information, see OAuth 2.0 Token Structure and Certificate Rotation.
Role or entity is inactive.	EntityOrRoleDisabled	Verify that the entity or role is active in the account.
Client ID or client secret is invalid.	ClientAuthenticationFailed	Ensure you use the correct values of the client ID and client secret for the corresponding integration record.
The value of the grant type parameter is invalid or wrong.	InvalidGrantType	Ensure that the grant type value used is the correct one in the corresponding step of the authorization code grant flow. For more information, see OAuth 2.0 Authorization Code Grant Flow.
The application attempted the refresh token request with an access token.	InvalidRefreshToken	Ensure that the application uses the access token for accessing RESTlets and REST web services, and the refresh token for the refresh token POST request. For more information, see Refresh Token POST Request to the Token Endpoint.
The NetSuite as OIDC Provider feature is not enabled in the account.	FeatureDisabled	See Enable the NetSuite as OIDC Provider Feature.
The integration record is blocked.	IntegrationBlocked	Ensure that the value of the State field is set to Enabled on the corresponding integration record. For more information, see Create Integration Records for Applications that Use NetSuite as OIDC Provider for Outbound Single Sign-on.

Problem

Refresh Token Request

Resolution

The access token is expired.

RefreshTokenExpired

Use the refresh token to get a new access token. If the refresh token is expired, initiate the authorization code grant flow to get a new pair of tokens. For more information, see OAuth 2.0 Authorization Code Grant Flow.

At least one of the following is invalid:

Entity
Contact
Role

EntityOrRoleDisabled

Verify that the entity, contact, or role exists in the account.

The signature is invalid.

InvalidSignature

Ensure that you use the correct certificate for token validation. For more information, see OAuth 2.0 Token Structure and Certificate Rotation.

Warning:

Invalidity of issuer or signature may be caused by cross-site request forgery (CSFR) attacks. To ensure that your application is safe, follow the OAuth 2.0 specification. For more information, see RFC6749 Section 10.12.

The integration application ID is invalid.

InvalidIntegration

Verify that the corresponding integration record exists in the account.

The integration application does not use OAuth 2.0.

AuthorizationCodeGrantRequired

Ensure that the Authorization Code Grant box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications that Use NetSuite as OIDC Provider for Outbound Single Sign-on.

The scope value is empty in the token.

InvalidScope

Ensure that the structure of the access token is correct. For more information, see OAuth 2.0 Token Structure and Certificate Rotation.

Role or entity is inactive.

EntityOrRoleDisabled

Verify that the entity or role is active in the account.

Client ID or client secret is invalid.

ClientAuthenticationFailed

Ensure you use the correct values of the client ID and client secret for the corresponding integration record.

The value of the grant type parameter is invalid or wrong.

InvalidGrantType

Ensure that the grant type value used is the correct one in the corresponding step of the authorization code grant flow. For more information, see OAuth 2.0 Authorization Code Grant Flow.

The application attempted the refresh token request with an access token.

InvalidRefreshToken

Ensure that the application uses the access token for accessing RESTlets and REST web services, and the refresh token for the refresh token POST request. For more information, see Refresh Token POST Request to the Token Endpoint.

The NetSuite as OIDC Provider feature is not enabled in the account.

FeatureDisabled

See Enable the NetSuite as OIDC Provider Feature.

The integration record is blocked.

IntegrationBlocked

Ensure that the value of the State field is set to Enabled on the corresponding integration record. For more information, see Create Integration Records for Applications that Use NetSuite as OIDC Provider for Outbound Single Sign-on.

Related Topics