InvalidClientIdentifier when refreshing a token

I’m working in building an Oauth application in PHP, and I’m not the best, and this is my first time doing it.

I’ve managed to get the first part done, where I can authenticate the app and get a valid Access Token, but when I try to refresh the token, I’m getting this error:

“error”: “InvalidClientIdentifier”, “error_description”: “Invalid client identifier {0}”

Does this mean I’m getting the “Basic + base64_encode(CLIENT_ID + ‘:’ + CLIENT_SECRET)” part of my code wrong?

Also, just making sure, the refresh token has the same expiration as the access token? meaning it’s only valid for 24 hours?

Edit: Here’s the code I’m using to build the request:

		$authentication_header = "Basic ". base64_encode($clientId.':'.$clientSecret);

		$fields = [

				'grant_type'    => 'refresh_token',
				'refresh_token'	=> $refresh_token,
				'Header:Authorization'	=> $authentication_header
		];

		$fields_string = http_build_query($fields);

Okay, so I had to move the header stuff around bit but I think I got it.

curl_setopt($ch, CURLOPT_HTTPHEADER, array("Authorization:Basic ". base64_encode($clientId.':'.$clientSecret)));

To answer your other question: Access Tokens have a short lifetime (24 hours), but Refresh Tokens have a much longer one (45 days).

@TomScott,

Refresh token TTL seems to be bouncing around alot. First it was three months then six now it’s 45 days?

We adjusted the refresh token lifetime length when we migrated from Mashery to Apigee, since the move increased the capabilities that we could take advantage of but were being held back by having to wait six months for changes to guarantee a complete token cycle-out.

Best-practice for security will be to have the refresh tokens last only marginally longer than access tokens (here’s Google Apigee’s guide on the matter), but we determined that going from six months to two days in a narrow window would probably be unnecessarily disruptive.