Why doesn't this code works in getting refresh code from refresh code in oAuth2 stex?

Question

In this question, I managed to obtain an access code and refresh code from stex API

Why do I have to specify the redirection URI when using authorization token to get access token in OAuth2?

So I surf some web, got authorization code, put the code on my program and I get refresh code.

    Dim code = "def50200354606432acfb60c836ac40ff440dc2755164756cd7e34ddcf9cd4db8df87cabe71bf5e5c5c278c18c81b0415ba47da34f83ddaab0a84696e1722e266aec2e7942ed86e40e65b0dcf7428aad2747920de6cf8585ce281214f2ecc7353e807640320ca263013387ea0b2d466e2cc31b46c2a2e7b1dd33cdc518efa20b76b752734174f2b500450ed1ccb434611b0bdc458fcfed69a2ab2a5f91242f1f68c504d3151048c49eaf976eff6bbb922dac1acbba069fc8b57fd74069eeadf24c067edf4563aa5ad14b0d9740f1518723ba1c5637164e5e3c4d408102f49c0f63d8f3f5dfbfe11132d242a182e4af3449e811292d1ac69aadf74608a5383b9c4030de3579c98b07c4f087752f7e404f4897d8167b3d8ad266bdb42f74b539cc3fef6ce774edd35d305e655e984028614e50afe760acc754de70986dc7651ac760d5817c665ef1238d0811190763dbfd65993408d12dcf7926be6c71afb5d8a10528c174647934bdd1e4fcf1f4a800b8a74a7ae93bf60b02c602900a981bdb75e9de2b17f359ee"
    Dim token2 = CookieAwareWebClient.downloadString1("https://api3.stex.com/oauth/token", "grant_type=authorization_code&code=" + code + "&client_id=" + _apiKey1 + "&client_secret=" + _secret1 + "&redirect_uri=https://apidocs.stex.com/oauth2-redirect.html", {})

    Dim jtoken1 = JToken.Parse(token2)
    Dim refreshtoken = jtoken1.Item("refresh_token").ToString

This is what I get

jtoken1 is

{"token_type":"Bearer","expires_in":43200,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImM2NTdjY2ZlNTg2M2ZjMWYyZDIyZWFhNTY0NDcyOGI4MjU5ODY0MjYxZWI4N2IzYjVkMTY2Y2VmZmU2Y2E2ZDNjNmM0MWE0ZTA3MjA1Nzc0In0.eyJhdWQiOiIxNDQiLCJqdGkiOiJjNjU3Y2NmZTU4NjNmYzFmMmQyMmVhYTU2NDQ3MjhiODI1OTg2NDI2MWViODdiM2I1ZDE2NmNlZmZlNmNhNmQzYzZjNDFhNGUwNzIwNTc3NCIsImlhdCI6MTU1MzUwNjQ5NCwibmJmIjoxNTUzNTA2NDk0LCJleHAiOjE1NTM1NDk2OTQsInN1YiI6IjMxOTgwMSIsInNjb3BlcyI6WyJ0cmFkZSIsInByb2ZpbGUiXX0.PU3Hf06PCfdUQHtTIpCbzWVnA8cCl_Vtt7ecMkif5_HKYbab2z3SjI9EEtbEBMtVzzdCftI26WjjptVdA4oaxEEdM8GYhuGcH30EU8ja1RTxa0LU-jRfFS_eALPf49oFkLcy6UvwZqfTAoDVu3qissC4GRmL-nar9D_5Re2qKcmHnd6Tk7P12ANUjf4URbMC6wy6Zr7Rr7eX9iR87yFqso786599mCmnOyTheBeru-w_j9UFeRXW8UF-oGOYtc2v1qwxsjxMPjZQOrVBdmgiz61MrXFgnaermcjxcWdEL9caJ__-i1991ErU01I3rXJ4xPPxik_4jIwPkhhLnQT73oA-baBycPIjNBja9pPEq-xLCzJgnDIT3A5dtqgjx9eV6Hdmv6lwYr21NfqJLVVQLmToRkDCmMeUXW71uFa77MonGhUkjni4K02kakWJnSQ3IvXgz9ZofV_DUcoxvA0fQmzvGq1_E9_DGBunMJwYNmWByQ0oGvtsZNKCprGtk_4-j1L-wUUds3lviPKDzzpcm7Bgaflpv3y6yeDO_7xW0zwVmfGF6McRaaUCsWyJduR3CnuDmJhs1pAv6CywFjoEZHEFSsqXFLWJVZ6RDU67BzmwV85-kdiZKN1nX6BvoYgYzeyKZpOU_M-jrn2M2DV7ppwXaQauWYHCpF0Gz9doH-U","refresh_token":"def50200517e96e9967aac626d1ca816e6df77cac0b33ab528d0bae8cc4b5fb6475dd9884301017259028365dbcd1abb9f7e00dccc550ce824af672eeacaf291d07805b5e44daa7b18d59f5c4da6db342d9502f54e2330fdfb9cda81177a675cdc68349d9bc974d47a20d6e8de4a7a24dba71bc9c7eb02ff5998628ed4b72688aaf5a8f6cc390208cc799563dbbde53bf411a4aed6106ebbdb7468506eb8ec48dc79581e0af2497eaca8fd06a405f44c18def16e4d9fc6e8569c1f3add3ae87c39836d5e0aa7ca20ec5967baded4aa9a443dc41dbd6aa80b790747aca1d6ceba9ec834ff7f4c9d7534fa9c7b348e8860cca091c7d8cb6b736d699687c6171eeebf3ab762bc6e8066e2b933f0934c80476d9539aca39525424fa4125887ccf70f7295407f7cb9815b6fbb63878afdfe4a3a5808731a12c4f2b4c553763e8ae8df07cad5f21050d164832d3dd426267c8292dc8b3ffce46dc5938f01676be89b67014bfdcb73e5e5c85f9a460cbd52021f8103c3d69b23d2e86a"}

and then refreshtoken is

"def50200517e96e9967aac626d1ca816e6df77cac0b33ab528d0bae8cc4b5fb6475dd9884301017259028365dbcd1abb9f7e00dccc550ce824af672eeacaf291d07805b5e44daa7b18d59f5c4da6db342d9502f54e2330fdfb9cda81177a675cdc68349d9bc974d47a20d6e8de4a7a24dba71bc9c7eb02ff5998628ed4b72688aaf5a8f6cc390208cc799563dbbde53bf411a4aed6106ebbdb7468506eb8ec48dc79581e0af2497eaca8fd06a405f44c18def16e4d9fc6e8569c1f3add3ae87c39836d5e0aa7ca20ec5967baded4aa9a443dc41dbd6aa80b790747aca1d6ceba9ec834ff7f4c9d7534fa9c7b348e8860cca091c7d8cb6b736d699687c6171eeebf3ab762bc6e8066e2b933f0934c80476d9539aca39525424fa4125887ccf70f7295407f7cb9815b6fbb63878afdfe4a3a5808731a12c4f2b4c553763e8ae8df07cad5f21050d164832d3dd426267c8292dc8b3ffce46dc5938f01676be89b67014bfdcb73e5e5c85f9a460cbd52021f8103c3d69b23d2e86a"

Obviously I do not want to hard code authorization code that changes all the time in my program.

I suppose I would "store" the refresh code on a file, and then use that refresh code again to get the access code.

Is that what I should do?

In any case, I look at stex PhP sample, and this is what I see

private function getToken($client)
{
    try {
        if (file_exists(self::JSON_SETTINGS)) {
            $this->currentToken = json_decode(file_get_contents(self::JSON_SETTINGS));
        } else {
            $this->currentToken = json_decode(json_encode([
                'access_token' => $this->option['tokenObject']['access_token'],
                'refresh_token' => $this->option['tokenObject']['refresh_token'],
                'expires_in' => null,
                'expires_in_date' => null
            ]));
        }
        if ($this->currentToken && $this->currentToken->expires_in_date && date($this->currentToken->expires_in_date) > date("Y-m-d H:i:s",
                time())) {
            return $this->currentToken->access_token;
        }
        $request = $client->post($this->option['accessTokenUrl'], [
            'form_params' => [
                'grant_type' => 'refresh_token',
                'refresh_token' => $this->currentToken->refresh_token,
                'client_id' => $this->client_id,
                'client_secret' => $this->client_secret,
                'scope' => $this->option['scope'],
            ],
        ]);
        $this->currentToken = json_decode($request->getBody());
        $this->currentToken->expires_in_date = date("Y-m-d H:i:s", time() + $this->currentToken->expires_in);
        file_put_contents(self::JSON_SETTINGS, json_encode($this->currentToken));
    } catch (\Exception $e) {
        throw new \Error($e->getMessage());
    }
    return $this->currentToken->access_token;
}

It seems that stex sample code which you can get here

https://github.com/StocksExchange/php-client somehow already "know" a refresh_token. I look at the code, and I have no idea how they get their refresh_token initially. However, it seems that once you got a refresh_token, you can keep getting it.

I wonder if the refresh_token changes all the time every time we ask for another one.

In any case, I try to get another access token just after I get my first one.

I do this

    Dim token1 = CookieAwareWebClient.downloadString1("https://api3.stex.com/oauth/token", "grant_type=refresh_token&refreshtoken=" + refreshtoken + "&client_id=" + _apiKey1 + "&client_secret=" + _secret1 + "&scope=trade%20profile&redirect_uri=https://apidocs.stex.com/oauth2-redirect.html", {})

And I get 400 error. Bad request.

The code basically does a post without any additional headers. Similar code worked fine when I was getting my first access token.

Additional Info: Stex have Swagger UI. If I do live http header this is how they got the access token. However, the Swagger UI doesn't try to get another refresh token. So I don't exactly know how to do so.

You can check here https://apidocs.stex.com/

https://app.stex.com/oauth/authorize?response_type=code&client_id=144&redirect_uri=https%3A%2F%2Fapidocs.stex.com%2Foauth2-redirect.html&scope=trade profile&state=VHVlIEFwciAwOSAyMDE5IDAyOjE2OjA5IEdNVCswNzAwIChJbmRvY2hpbmEgVGltZSk%3D

Host: app.stex.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://apidocs.stex.com/

Connection: keep-alive

Cookie: __cfduid=daa1f8ce90555ce6c4dbdb67819ccf58a1551861370; last_pair=eyJpdiI6IjAzWVpZazN2Y29JR1Z0REVYRmZQV2c9PSIsInZhbHVlIjoiN215Rm0yRHRVSlwvSUp0QXVzeUtGRnc9PSIsIm1hYyI6ImY5ZjI1Y2UxYzFlZDc0ZWVjMTkwMzM5Mjk0ZDljODJmM2EzNjBmNmQ4NzU3YzRlMmI3MTkyYjQwMTc0YzIzZmUifQ%3D%3D; intercom-id-qr8nd1jy=196680cc-0ef5-490c-8577-22b345175726; stex_session=eyJpdiI6ImFkNFB3cFB3c05JYXdqK21xVUtPZnc9PSIsInZhbHVlIjoiYlhRemEwZGlVOWdLXC9NWlk1Skc1aHFOam1SMDV5UHg4N3hhdE51T2J3dk13MVQxWmZxcHFyMVNkMFBqUkQzaU0iLCJtYWMiOiI2YWQ1Y2Q1OTlhODA5MjVmMTM2ZWY2ODNlN2QzYTMwYjBkZTc2NDUxZWU5OTE5MTc1Zjk2NjY0ZWEzMDM5ZWExIn0%3D; XSRF-TOKEN=eyJpdiI6InZIREhTMDdsTVpQSzRNYnI1YlZNR3c9PSIsInZhbHVlIjoiQm9Uc1BleGE0dnpmeXhyUFV6c21DWnQ4VWhrc0VVQ1AzUFhwN2twK2g1WEhRME1yM1JBV0pKd1RLYzJQaWhwbSIsIm1hYyI6Ijk5ODM5YTFjZDA5YTFmMGQzZWYzZDM0OWE2ZjAzNWNmNGVjNGVkNDA4ZWI1NWUwN2JiYTZjMDdlNTdkNzVjYmYifQ%3D%3D

Upgrade-Insecure-Requests: 1

GET: HTTP/2.0 302 Found

date: Mon, 08 Apr 2019 19:16:09 GMT

content-type: text/html; charset=UTF-8

location: https://apidocs.stex.com/oauth2-redirect.html?code=def5020028f086b604ecddce0d8eba73f7b3c8003a6052a4786bf37deeeff4fa518c86288f96fcf9842d64f848465f987727e0fe206594287cc88bd427b447b6a928548f6af48f21fea3958f180fe6aad0e31aef102b2f1316e7f0a307042f41432ebaf5fbf26410008c16f1ebc5a1b5f42b90cb8eb184c84e75b153d9c820a7f4953fe02ab864200c5fda9cb98dcc114ee2b54caf36f6177b15cee04ef45a24f28d387b80e0000c7c120f8bdd66260f8d7f733f5ce5686c9257d4fa86095ce96c38c6bcdc92a7f510a3a4f1a3c36a561d71dd5be741cbd1df336d1dcbbfef323bc8879f639795d3d185ea081aa42e97d8db0fe76d085f99265025c8e1da6402f93cf037256b6d80b4ca0ab44a7b5db00e46260f620113646b3872eaca0219062c5e6edbfd890a68525083240ee96f86c4ab3a5e3a70d902f747fa38e0875b5a67964f14a5510c5eda8cd9f423096f82f240efa96d620f19f12206eb007a80099ebd5deba58bc574bbecb32fb2f4d2e6da1583bbe0901bc2515d61b29efd8e11e8f7a58854b1d0&state=VHVlIEFwciAwOSAyMDE5IDAyOjE2OjA5IEdNVCswNzAwIChJbmRvY2hpbmEgVGltZSk%3D

cache-control: private, must-revalidate

pragma: no-cache

expires: -1

x-xss-protection: 1; mode=block

set-cookie: XSRF-TOKEN=eyJpdiI6IngxelBQOGFhd1NtYUlJc3JncG5jU2c9PSIsInZhbHVlIjoiK3dtSzZvSHRBUzNaQ0ZFdm1EanNBMkJINERlSGQrbWxSdjYzN2NJaDBESVBuQU1oU3FtTHM3cVFyWHBlWCs1USIsIm1hYyI6ImU3NzA2NWY0ZjUyYWFmZmI4NDFlODM4ZTY4NDcxNmQ3N2Q0MWYzYjI3OTkxM2U0ZDIzMjE4MDVjMDBhYjYzMjcifQ%3D%3D; expires=Tue, 09-Apr-2019 07:16:09 GMT; Max-Age=43200; path=/; domain=stex.com
stex_session=eyJpdiI6IkJscWhhVVlHY3JHSUx0RVhRREMwSEE9PSIsInZhbHVlIjoiS1BwQnNySzBOOVdrU3lvTFhYSzg4NVgrRjlPVm9MTHJ2SEluaVZCWTVTeCtpWm53RkxPSGxBcmUzMGV6QzBcL3UiLCJtYWMiOiJmZjljZDk5YzBlMzRiMDQ2NDM2MDA1MWUyMTAxNzI4ZjRlMmE4MGQ3NGI5Y2Y0NjA3MzA0ODNlOTcyOWRmZTIxIn0%3D; expires=Tue, 09-Apr-2019 07:16:09 GMT; Max-Age=43200; path=/; domain=stex.com; httponly

expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

server: cloudflare

cf-ray: 4c4692f3dbf9c379-SIN

X-Firefox-Spdy: h2

https://apidocs.stex.com/oauth2-redirect.html?code=def5020028f086b604ecddce0d8eba73f7b3c8003a6052a4786bf37deeeff4fa518c86288f96fcf9842d64f848465f987727e0fe206594287cc88bd427b447b6a928548f6af48f21fea3958f180fe6aad0e31aef102b2f1316e7f0a307042f41432ebaf5fbf26410008c16f1ebc5a1b5f42b90cb8eb184c84e75b153d9c820a7f4953fe02ab864200c5fda9cb98dcc114ee2b54caf36f6177b15cee04ef45a24f28d387b80e0000c7c120f8bdd66260f8d7f733f5ce5686c9257d4fa86095ce96c38c6bcdc92a7f510a3a4f1a3c36a561d71dd5be741cbd1df336d1dcbbfef323bc8879f639795d3d185ea081aa42e97d8db0fe76d085f99265025c8e1da6402f93cf037256b6d80b4ca0ab44a7b5db00e46260f620113646b3872eaca0219062c5e6edbfd890a68525083240ee96f86c4ab3a5e3a70d902f747fa38e0875b5a67964f14a5510c5eda8cd9f423096f82f240efa96d620f19f12206eb007a80099ebd5deba58bc574bbecb32fb2f4d2e6da1583bbe0901bc2515d61b29efd8e11e8f7a58854b1d0&state=VHVlIEFwciAwOSAyMDE5IDAyOjE2OjA5IEdNVCswNzAwIChJbmRvY2hpbmEgVGltZSk%3D

Host: apidocs.stex.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://apidocs.stex.com/

Connection: keep-alive

Cookie: __cfduid=daa1f8ce90555ce6c4dbdb67819ccf58a1551861370; last_pair=eyJpdiI6IjAzWVpZazN2Y29JR1Z0REVYRmZQV2c9PSIsInZhbHVlIjoiN215Rm0yRHRVSlwvSUp0QXVzeUtGRnc9PSIsIm1hYyI6ImY5ZjI1Y2UxYzFlZDc0ZWVjMTkwMzM5Mjk0ZDljODJmM2EzNjBmNmQ4NzU3YzRlMmI3MTkyYjQwMTc0YzIzZmUifQ%3D%3D; intercom-id-qr8nd1jy=196680cc-0ef5-490c-8577-22b345175726; stex_session=eyJpdiI6IkJscWhhVVlHY3JHSUx0RVhRREMwSEE9PSIsInZhbHVlIjoiS1BwQnNySzBOOVdrU3lvTFhYSzg4NVgrRjlPVm9MTHJ2SEluaVZCWTVTeCtpWm53RkxPSGxBcmUzMGV6QzBcL3UiLCJtYWMiOiJmZjljZDk5YzBlMzRiMDQ2NDM2MDA1MWUyMTAxNzI4ZjRlMmE4MGQ3NGI5Y2Y0NjA3MzA0ODNlOTcyOWRmZTIxIn0%3D; XSRF-TOKEN=eyJpdiI6IngxelBQOGFhd1NtYUlJc3JncG5jU2c9PSIsInZhbHVlIjoiK3dtSzZvSHRBUzNaQ0ZFdm1EanNBMkJINERlSGQrbWxSdjYzN2NJaDBESVBuQU1oU3FtTHM3cVFyWHBlWCs1USIsIm1hYyI6ImU3NzA2NWY0ZjUyYWFmZmI4NDFlODM4ZTY4NDcxNmQ3N2Q0MWYzYjI3OTkxM2U0ZDIzMjE4MDVjMDBhYjYzMjcifQ%3D%3D

Upgrade-Insecure-Requests: 1

GET: HTTP/2.0 200 OK

date: Mon, 08 Apr 2019 19:16:09 GMT

content-type: text/html; charset=UTF-8

cache-control: max-age=3600

last-modified: Sat, 12 Jan 2019 07:08:55 GMT

x-frame-options: DENY

expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

server: cloudflare

cf-ray: 4c4692f74f62c379-SIN

content-encoding: gzip

X-Firefox-Spdy: h2

https://apidocs.stex.com/favicon.ico

NS_BINDING_ABORTED

https://api3.stex.com/oauth/token

Host: api3.stex.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Accept: application/json, text/plain, */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://apidocs.stex.com/

Content-Type: application/x-www-form-urlencoded

Origin: https://apidocs.stex.com

Content-Length: 953

Connection: keep-alive

grant_type=authorization_code&code=def5020028f086b604ecddce0d8eba73f7b3c8003a6052a4786bf37deeeff4fa518c86288f96fcf9842d64f848465f987727e0fe206594287cc88bd427b447b6a928548f6af48f21fea3958f180fe6aad0e31aef102b2f1316e7f0a307042f41432ebaf5fbf26410008c16f1ebc5a1b5f42b90cb8eb184c84e75b153d9c820a7f4953fe02ab864200c5fda9cb98dcc114ee2b54caf36f6177b15cee04ef45a24f28d387b80e0000c7c120f8bdd66260f8d7f733f5ce5686c9257d4fa86095ce96c38c6bcdc92a7f510a3a4f1a3c36a561d71dd5be741cbd1df336d1dcbbfef323bc8879f639795d3d185ea081aa42e97d8db0fe76d085f99265025c8e1da6402f93cf037256b6d80b4ca0ab44a7b5db00e46260f620113646b3872eaca0219062c5e6edbfd890a68525083240ee96f86c4ab3a5e3a70d902f747fa38e0875b5a67964f14a5510c5eda8cd9f423096f82f240efa96d620f19f12206eb007a80099ebd5deba58bc574bbecb32fb2f4d2e6da1583bbe0901bc2515d61b29efd8e11e8f7a58854b1d0&client_id=144&client_secret=lcUPy7ANJ0rkqkvt25JQdJoL3w4hYsyX3SWP97jL&redirect_uri=https://apidocs.stex.com/oauth2-redirect.html

POST: HTTP/2.0 200 OK

date: Mon, 08 Apr 2019 19:16:11 GMT

content-type: application/json; charset=UTF-8

pragma: no-cache

cache-control: no-store, private

x-ratelimit-limit: 60

x-ratelimit-remaining: 59

access-control-allow-origin: https://apidocs.stex.com

vary: Origin

access-control-allow-credentials: true

set-cookie: __cfduid=dd6ab0090b96f4be963967df030a6784e1554750970; expires=Tue, 07-Apr-20 19:16:10 GMT; path=/; domain=.stex.com; HttpOnly; Secure
stex_session=eyJpdiI6IkhheHYyMXJ4SjBHY0c3dUFsUG9UVGc9PSIsInZhbHVlIjoiZG1hTmJIRWlJNERTYzBMaVJ5bHJTYjFGNkZwRVwvNjRVZ2JkaE9ub2dVMm1XSzJKQ3NPZ0V5VEk3MG0rcWJXQ3IiLCJtYWMiOiJiNTc4ZjNkZDhmZWMyYzM5MWMxNjU5NzdhZGFmNjI1MzYxOWI2ZTU5MWFjOTQ3ZTdiMTI4MTFmYWJhZmEzOWNlIn0%3D; expires=Tue, 09-Apr-2019 07:16:11 GMT; Max-Age=43200; path=/; domain=stex.com; httponly

x-xss-protection: 1; mode=block

expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

server: cloudflare

cf-ray: 4c4692fd3b4cc338-SIN

content-encoding: gzip

X-Firefox-Spdy: h2

I still get 400 error.

The code token that I managed to get is the following

{{  "token_type": "Bearer",  "expires_in": 43200,  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImQ2Y2Y5MWFlNDc3NGIwNWIyNjk3ZjYzZDRkNzE4M2M3ODExNGJhOTZlN2EzMzdlYWI2NmQxMjY2MWNmMTFiYmRhMWY3ODA2YTNjYWVkN2ZlIn0.eyJhdWQiOiIxNDQiLCJqdGkiOiJkNmNmOTFhZTQ3NzRiMDViMjY5N2Y2M2Q0ZDcxODNjNzgxMTRiYTk2ZTdhMzM3ZWFiNjZkMTI2NjFjZjExYmJkYTFmNzgwNmEzY2FlZDdmZSIsImlhdCI6MTU1NDc1MDM0NywibmJmIjoxNTU0NzUwMzQ3LCJleHAiOjE1NTQ3OTM1NDcsInN1YiI6IjMxOTgwMSIsInNjb3BlcyI6WyJ0cmFkZSIsInByb2ZpbGUiXX0.buJmntuGIaVjlXRfycplmQ9nlt_X8onH6rvb-7gy_4wQggG19AlivLEafrIY-qSGx0G89cT3ebaDmS_4PD2b_0bB_8BPVwB9sUSJxTvDK8XheI75wK9VSklaOKPSEXIN7FJfq2rHgy_V432Q_wGVAWp892ic8f6MoBw1UfhfT5ev6B6qbBzONf0Gywf0yTCyy5mmZY2B3Fi-c9e-_b0pzicKYRuwxOU5K98FT3QG3HpA9TzD5mumy0cmoBa-7kT3n2kQXosjZi959Yxe_r4KHD2WzsQpsMpq-NKndbCTOsgZh3fi3N8TitHSefgBeOCRPE2QDp_jDE3y_RtJ9Yk-d9vcknazS269s7lxe6YJxblzTY-lGK_hR6NE2HkiveLtZU6dC34TjtaryReACaepoKbnpwKGCYR_kWnQYxT0aThqYcKRsySrEuNII2O04_ZXc4I990bnKfdffGoawoZS0qzjoFRkdSzOBj3wKJYADCb1DyibBPTg6ADTV9Tb28Hb_nHRD-fIciFSqmCOHN58jx8Dv0jbgjPOhthcLCT90Ywy82_NTC9kUFaD1o0kulwYKjMxEHtP4EjNBnSMNUaqC7uV__nuZhHFhKCMgRIQRZN2VTx76HVKcjpS-LuuYXs6bp4RcRmZ1LMRT__7h025llJSI4i6DHwc-4Me1s2X3SU",  "refresh_token": "def50200fd6c6c2abefc561758aa2ed9cd94e7aa84849b508fd103e85f3146881539aa2612e6c82ef838c1826202ada55a440a7d3a0f9c0e10fd085e10901cbdf700059ef7eb36b2dd56c290052aa7b36b3858258e3c4596b63aac660a318da6c01aed58689e7f5b7d8830ab604a9cb98dd16e70041cb336d9626ec5ba9f05dad26f4a071c8d8b47805c777aa747a3bda1b0b4f53ce3cbfe04f6bbb6125a1523ba28e0efdced3048733870da562d7c07b115315faf673be4dfc764c2223f13eaa728b4330c5c7d332c64e348e9a38f3019c8aaedb94e656bea89793388a18beae1378bcaab629b70798f762395eac888b965a26ef507869aa1fa2ae4a4a83a42e53d655f47429efe96e8cac5aac7309c3f9a340ee6a6b7d9c3bd0bb24330147e1b254ebae9422cc557773e062b09455583c09d933ebda34d64dc5da4c84e7ad310903e467a0fc0d1492e9fc5f866730bf9a6d9035de80e8185001d1b81e376230f08d7e2953287e256181dc598f9966783bc25aa81181c5787"}}

The code I used to get another refresh token is

Dim post = "grant_type=refresh_token&refreshtoken=" + refreshtoken + "&client_id=" + _apiKey1 + "&client_secret=" + _secret1 + "&scope=trade profile"
'post = grant_type=refresh_token&refreshtoken=def50200fd6c6c2abefc561758aa2ed9cd94e7aa84849b508fd103e85f3146881539aa2612e6c82ef838c1826202ada55a440a7d3a0f9c0e10fd085e10901cbdf700059ef7eb36b2dd56c290052aa7b36b3858258e3c4596b63aac660a318da6c01aed58689e7f5b7d8830ab604a9cb98dd16e70041cb336d9626ec5ba9f05dad26f4a071c8d8b47805c777aa747a3bda1b0b4f53ce3cbfe04f6bbb6125a1523ba28e0efdced3048733870da562d7c07b115315faf673be4dfc764c2223f13eaa728b4330c5c7d332c64e348e9a38f3019c8aaedb94e656bea89793388a18beae1378bcaab629b70798f762395eac888b965a26ef507869aa1fa2ae4a4a83a42e53d655f47429efe96e8cac5aac7309c3f9a340ee6a6b7d9c3bd0bb24330147e1b254ebae9422cc557773e062b09455583c09d933ebda34d64dc5da4c84e7ad310903e467a0fc0d1492e9fc5f866730bf9a6d9035de80e8185001d1b81e376230f08d7e2953287e256181dc598f9966783bc25aa81181c5787&client_id=144&client_secret=lcUPy7ANJ0rkqkvt25JQdJoL3w4hYsyX3SWP97jL&scope=trade profile
Dim token1 = CookieAwareWebClient.downloadString1("https://api3.stex.com/oauth/token", post, {})

Notice I didn't encode the space between trade and profile. Encoding it doesn't help. In fact, if anyone can try creating an API for STEX and try it themselves it'll be great.

Another Update:

The error I got is error 400

invalid_request

This error occurs when there is a missing parameter that includes multiple credentials, unsupported parameter value.

https://www.tutorialspoint.com/oauth2.0/access_token_error_response_codes.htm

The code I used to get the new access token with refresh token is

    Dim post = "grant_type=refresh_token&refreshtoken=" + refreshToken + "&client_id=" + _apiKey1 + "&client_secret=" + _secret1 + "&scope=trade profile"
    'post = grant_type=refresh_token&refreshtoken=def5020046875925bb9c0ba2ead1954836339f8f31d5a45103603b857567096da0eb820114a75a6ed3db9eb301e3389d284a696a3cb21ea0df9eebdca2052e8b8120423bb2d4b063651aeff7ac7623ea3beea2f3f21b5127792daf6f71f4d23980ca140f875ec5607f63deeac8696128ea2918a473486c0c4223a088f385046b84e6f8edd17cb459d5cdc66d856ee42b2ce3f90f3829a104735372ac14eae3ccff71dde4552b9ad46df7380870b5cd3bcb8d6ca7f16484a2d5b3b26efcebf7b2e5221ed16620445099ee4b0239fd82c8e7f37262883d57fc6545ab31f9e52dc4fc4de70235d5121f7222f8066bfdc9945aa9f3bac0c3068c9dac5940c6e2fdc9daa6623a9f2b6e3f41aa47698ec1008514878494fef9932b317f42873af44d5dbcdd19958c2fc3835a820d09e5aa6a6ae3bef6592812a698b2547f0cca5e9f8ac38014b6651be46a098374f92bc35fcebc373f17ab70fd20cf1147bf11e2093e9908516717a3902d2d9efc7f06e917fb67dca2bca4f0c25ed7&client_id=144&client_secret=lcUPy7ANJ0rkqkvt25JQdJoL3w4hYsyX3SWP97jL&scope=trade profile
    tokenstring = CookieAwareWebClient.downloadString1("https://api3.stex.com/oauth/token", post, {})
    saveJtoken(tokenstring)
    jtoken1 = JObject.Parse(tokenstring) 'reparse tokenstring with new string

From that code the parameters I sent is

grant_type=refresh_token
refreshtoken=def5020046875925bb9c0ba2ead1954836339f8f31d5a45103603b857567096da0eb820114a75a6ed3db9eb301e3389d284a696a3cb21ea0df9eebdca2052e8b8120423bb2d4b063651aeff7ac7623ea3beea2f3f21b5127792daf6f71f4d23980ca140f875ec5607f63deeac8696128ea2918a473486c0c4223a088f385046b84e6f8edd17cb459d5cdc66d856ee42b2ce3f90f3829a104735372ac14eae3ccff71dde4552b9ad46df7380870b5cd3bcb8d6ca7f16484a2d5b3b26efcebf7b2e5221ed16620445099ee4b0239fd82c8e7f37262883d57fc6545ab31f9e52dc4fc4de70235d5121f7222f8066bfdc9945aa9f3bac0c3068c9dac5940c6e2fdc9daa6623a9f2b6e3f41aa47698ec1008514878494fef9932b317f42873af44d5dbcdd19958c2fc3835a820d09e5aa6a6ae3bef6592812a698b2547f0cca5e9f8ac38014b6651be46a098374f92bc35fcebc373f17ab70fd20cf1147bf11e2093e9908516717a3902d2d9efc7f06e917fb67dca2bca4f0c25ed7
client_id=144
client_secret=lcUPy7ANJ0rkqkvt25JQdJoL3w4hYsyX3SWP97jL
scope=trade profile

Answer 1

Looking at their code, you have to have already done the OAuth2 initialization BEFORE you use their API. Once you've done that, their API saves the entire token (access/refresh/expiry) to the settings.json file.

I would try the following:

• Remove the redirect_uri from the refresh request: I've seen these fail if you add parameters that the implementation isn't expecting
• Check that the scope(s) you are requesting for the refresh match the scopes you were originally granted
• Ensure you're not requesting the refresh too early: I've seen services that only let you request the refresh token within a certain time of or after the actual expiry. In their source they only ask for a refresh after the token has expired.

Answer 2

It finally works.

Why?

I look at this code

  Dim post = "grant_type=refresh_token&refreshtoken=" + refreshToken + "&client_id=" + _apiKey1 + "&client_secret=" + _secret1 + "&scope=trade profile"

There should be an _ between refresh and token.

It should be

"grant_type=refresh_token&refresh_token="