使用具有授权代码流的有效刷新令牌获取新令牌时出错

我正在使用WSO2 API管理器1.10.0，其中WSO2 Identity Server 5.1.0配置为密钥管理器，MySQL Community Server 5.6配置为数据库 . 当我尝试刷新使用授权代码授予类型获得的令牌（refresh_token授权类型）时，我收到400错误请求错误（invalid_grant - 提供的授权授予无效），我无法获得新令牌 . 然后，我尝试使用client_credentials和密码授予类型，对于那些我能够刷新令牌 .

我检查了Identity Server日志，发现Identity Server尝试检索最新令牌时出现错误（下面的日志） .

TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Access Token request received for Client ID OQU0_FyRQcdvTFbygziFw67ASHwa, User ID null, Scope : [openid, profile] and Grant Type : refresh_token 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} -  Can authenticate with client ID and Secret. Client ID: OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} -  Grant type : refresh_token Strict client validation set to : null 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Client credentials were available in the cache for client id : OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,470] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Successfully authenticated the client with client id : OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler} -  Error while retrieving the latest refresh token 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -  Invalid Grant provided by the client Id: OQU0_FyRQcdvTFbygziFw67ASHwa 
TID: [-1234] [] [2016-12-15 12:40:00,474] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -  OAuth-Error-Code=invalid_grant client-id=OQU0_FyRQcdvTFbygziFw67ASHwa grant-type=refresh_token scope=openid profile 
TID: [-1234] [] [2016-12-15 12:40:06,492] DEBUG {org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask} -  Running deployment synchronizer update... tenant : carbon.super 
TID: [-1234] [] [2016-12-15 12:40:06,588] DEBUG {org.wso2.carbon.core.deployment.CarbonDeploymentSchedulerTask} -  Running deployment synchronizer commit... tenant : carbon.super

我调试了source code，我认为该问题可能与以下SQL查询有关，特别是与USER_DOMAIN = null子句有关 .

SELECT ACCESS_TOKEN, REFRESH_TOKEN, TIME_CREATED, REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD, TOKEN_STATE, USER_TYPE, TOKEN_ID, SUBJECT_IDENTIFIER FROM IDN_OAUTH2_ACCESS_TOKEN WHERE CONSUMER_KEY_ID = (SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE CONSUMER_KEY = 'OQU0_FyRQcdvTFbygziFw67ASHwa') AND AUTHZ_USER='michael.pinheiro' AND TENANT_ID=-1234 AND USER_DOMAIN=null AND TOKEN_SCOPE_HASH='369db21a386ae433e65c0ff34d35708d' ORDER BY TIME_CREATED DESC LIMIT 1

我还注意到，在使用授权代码授予类型时，表IDN_OAUTH2_ACCESS_TOKEN中创建的访问令牌将用户域列设置为NULL，但是当使用password或client_credentials grant type时，值为“PRIMARY” .

可能是一个错误，还是我错过了在创建新访问令牌时以某种方式将用户域设置为PRIMARY的任何参数？

我写下了为重现问题而执行的所有步骤：

Step 1: 我通过重定向到https://identity-dev.domain.pt/oauth2/authorize?response_type=code&client_id=OQU0_FyRQcdvTFbygziFw67ASHwa&scope=openid profile＆redirect_uri = http://localhost:8100来获取授权码

Step 2: 使用上一步中收到的代码，我通过执行以下命令获取访问令牌（和刷新令牌）：

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d'grant_type = authorization_code＆client_id = OQU0_FyRQcdvTFbygziFw67ASHwa＆client_secret = 3kC6Uf9f8Lr8HVl2n03dhQc57Jsa＆scope = openid profile＆code = fd2f827afefba0ab0b17f9d701ad1488＆redirect_uri = http://localhost:8100'“https://identity-dev.domain.pt/oauth2/token”

Step 3: 在上一步中使用收到的刷新令牌，我执行以下请求以获取新令牌，但是我收到了400错误请求，如本文所述 .

curl -X POST -H "Authorization: Basic T1FVMF9GeVJRY2R2VEZieWd6aUZ3NjdBU0h3YToza0M2VWY5ZjhMcjhIVmwybjAzZGhRYzU3SnNh" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d 'grant_type=refresh_token&scope=openid profile&refresh_token=7a7da99d70d48e10ac82e3681c63b0a1'“https://identity-dev.domain.pt/oauth2/token”

欢迎任何帮助！