oauth2-example | small example of a Node OAuth2 server | Runtime Evironment library

I assume that the Cannot convert access token to JSON might have been due to incorrectly pasted token.

As for Invalid refresh token, it occurs because when JwtTokenStore reads the refresh token, it validates the scopes and revocation with InMemoryApprovalStore. However, for this implementation, the approvals are registered only during authorization through /oauth/authorize URL (Authorisation Code Grant) by the ApprovalStoreUserApprovalHandler.

Especially for the Authorisation Code Grant (authorization_code), you want to have this validation, so that the refresh token request will not be called with an extended scope without the user knowledge. Moreover, it's optional to store approvals for future revocation.

The solution is to fill the ApprovalStore with the Approval list for all resource owners either statically or dynamically. Additionally, you might be missing setting the user details service endpoints.userDetailsService(userDetailsService) which is used during the refresh process.

Update:

You can verify this by creating pre-filled InMemoryApprovalStore:

You are trying to fetch the auth URL via cURL - that can not work, this authorization flow requires user interaction. You need to redirect the user to this URL in their browser.

You can either redirect the user to that URL automatically; or you just put it into the href attribute of a link, so that the user can click on that then, to start the whole process. (I would recommend the second option in general, but at least during development. With an automatic redirect, there’s a good chance you’ll create a circular redirect again, if anything goes wrong.)