cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Frequent Visitor

Setting Bearer token on Custom Connector using the Generic OAuth2 Identity provider

Within PowerApps, I am trying to connect to an external API using a Custom Connector. That Custom Connector is using the generic OAuth2 identity provider to authenticate using Auth0. The connector has successfully managed to login, but calls to the external API endpoints are failing. What I need to do is to get the Bearer token in the Authorization header to use the token that Auth0 provides. However, it looks like that the token that is actually sent on the endpoint call is a Microsoft one, not the Auth0 one. How can I get it set up so that it uses the Auth0 token?

5 REPLIES 5
Regular Visitor

I have the same issue. Any resolutions?

I did mange to get it to work. You must explicitly ask the scopes you require in your custom connector settings, otherwise they do not get returned. What confused me is that the token that shows up in the GUI on one of the runs, is actually the token used to connect to Microsoft back end services, and not the one returned from Auth0. That Auth0 token is not available to see anywhere.

@akhtar I have the same issue, could you provide some more information about what scopes you needed to set and how you configure the custom connector to specify the audience that needs to be requested when the connection is created with auth0?

 

I have an auth0 application that looks like this:

auth0 application 1.png

and this:

auth0 application 2.png

when I (successfully) log in to the application in the normal interactive way (not from Power Automate) then the login url is:

https://SNIPPED-dev.eu.auth0.com/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A11113&client_id=7EDovlvoLLpK5FiyZ0gNXfQJ34Da0Nkq&audience=https%3A%2F%2Fdev.api.com&scope=openid%20profile%20email%20offline_access&response_type=code&response_mode=query&state=UDZPbkwxTExqcGZnU044czNaZDVkRVdsU3kuN29WSTNFMmhCT2F3YX5wTA%3D%3D&nonce=aWpHNUlfVDV%2BdjE3c2lyOWVuZFU4aGxjUDFSMTU3Tzh6ZXJlVEJhdmVGWg%3D%3D&code_challenge=FMzxLYlWPLTguMx4Coa0IPPeQGLBP2YJKobUE_hAi7w&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiQGF1dGgwL2F1dGgwLWFuZ3VsYXIiLCJ2ZXJzaW9uIjoiMS4yLjAifQ%3D%3D

You can see that an audience of https://dev.api.com is being specified. When I use decode the JWT that is sent through to my API in a normal login scenario it looks like this:

{
  "http://p3.peopleplus.truenorthit.co.uk/nickname": "aradice",
  "http://p3.peopleplus.truenorthit.co.uk/name": "aradice@test.com",
  "http://p3.peopleplus.truenorthit.co.uk/email": "aradice@test.com",
  "iss": "https://SNIPPED-dev.eu.auth0.com/",
  "sub": "auth0|5fc626d3aa67b2007595f861",
  "aud": [
    "https://dev.api.com",
    "https://SNIPPED-dev.eu.auth0.com/userinfo"
  ],
  "iat": 1606905089,
  "exp": 1606991489,
  "azp": "7EDovlvoLLpK5FiyZ0gNXfQJ34Da0Nkq",
  "scope": "openid profile email",
  "permissions": [
    "actions:process-own",
    "actions:view-own",
    "notifications:view-own"
  ]
}

 You can see that the "aud" array contains the audience I've requested. The JWT that contins all that info is pretty long, about 1300 characters including the signature. But when I try to use Power Automate to create a connection the same API I notice a couple of things:

 

The auth0 Url that Power Automate uses to set up the connection is quite different from the Url that I hit when logging in to the application in the normal way:

https://SNIPPED-dev.eu.auth0.com/login?state=g6Fo2SBhVnhYUHlJZ29NVW5LR0lKY1ltRURFNTNMcXc0SzF5Z6N0aWTZIDRIUmFxMnR1WVI4bndDZ0o2dENHUVJjeU9JdWhIYzU5o2NpZNkgT0ZVTXBVVXBXSTlHQkQ3SnhpQXBaZmVhTXBsUXJWSkQ&client=7EDovlvoLLpK5FiyZ0gNXfQJ34Da0Nkq&protocol=oauth2&response_type=code&redirect_uri=https%3A%2F%2Fglobal.consent.azure-apim.net%2Fredirect&scope=openid%20profile%20email%20offline_access​

 When I test my connector the Bearer token that Power Automate sends is tiny, only 32 characters long, and it isn't a JWT, My application rejects this with a 401.

 

I'm also having the same problem as you in that it is extremely difficult to troubleshoot this as the error that the Power Automate reports is with calling one of its own internal endpoints, the real error being hidden away somewhere in the internals:

Test failed.png

 

Can you give me any pointers?

Hi @alexradice,

 

I've got the Custom connector setup like this

 

akhtar_0-1606987995733.png

 

This should automatically set the JWT bearer token on your API requests after the user has logged in. If your PowerApp calls your flow, the user should be automatically be presented with your Auth0 logon screen, and the Custom Connector should handle the refresh tokens in the background, without any further intervention.

I fixed this in the end. The problem was that if you don't pass an "audience" querystring argument to the auth0 authorize endpoint then the auth token that is generated will be an opaque token rather than a JWT which cannot be used to authorize API operations. This post explains it: https://community.auth0.com/t/why-is-my-access-token-not-a-jwt-opaque-token/31028 

The Generic OAuth 2 provider in Power Automate does not allow you to specify an "audience" argument so what I did instead was to create an Azure Function (I could have used any other lightweight serverless technology, I was working on an Azure project so an Azure Function was the obvious choice) that accepted a HTTP GET request and redirected to my auth0 authorize endpoint including all the original querystring arguments and adding in the "audience" argument that I needed. This worked just fine.

Helpful resources

Announcements
News & Announcements

Community Blog

Stay up tp date on the latest blogs and activities in the community News & Announcements.

Power Apps Community Call

Power Apps Community Call- January

Mark your calendars and join us for the next Power Apps Community Call on January 20th, 8a PST

PP Bootcamp Carousel

Global Power Platform Bootcamp

Dive into the Power Platform stack with hands-on sessions and labs, virtually delivered to you by experts and community leaders.

secondImage

Power Platform Community Conference On Demand

Watch Nick Doelman's session from the 2020 Power Platform Community Conference on demand!

Top Solution Authors
Top Kudoed Authors
Users online (7,635)