cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Knots
Frequent Visitor

Custom Connector - OAuth2 - Old refresh token used

We've created a custom connector for Exact Online, but are having issues with the access tokens. Everything works, but at some point the connection states it "Can't sign in" and you'll need to fix the connection before you can use it again. When checking the detail of that connection, it states:

 

 

 

Failed to refresh access token for service: oauth2. Correlation Id=..., UTC TimeStamp=..., Error: OAuth 2 access token refresh failed. Client ID and secret sent in form body.. Response status code=Unauthorized. Response body: {"error":"unauthorized_client","error_description":"Old refresh token used."}

 

 

 


The authentication type of the custom component is set to OAuth2. The identity provider is the Generic OAuth2 one. It uses the "Authorization Code" flow. We've tried the "Implicit" one as well to no avail.

 

Since the connection works initially, the authorization and token URL seem to be correct. We can authenticate and use the connection in an, e.g. Canvas App.
According to the documentation, the refresh URL is the same as the token URL:

 

 

 

../api/oauth2/token

 

 

 


If the token would expire once a month or so, I could live with it, but the token expires after just 10 minutes...

Can anyone tell me why an old refresh token is used? Is the token simply not updated after refreshing it? Is it refreshing multiple times simultaneously, in which case the second call probably results in the error?

What am I missing?

 

edit: added additional information regarding the authentication method.

10 REPLIES 10
Anonymous
Not applicable

I would either reach out and see if they have a configurable token lifetime, or rework the custom connector to not use the preconfigured OAuth security tab.  You will still do OAuth 2, you will just handle the refresh calls yourself like the example below.  Flow would need to store the last refresh token, clientID and clientSecret in a secure location like Azure Key Vault.  This is what is recommended for "Backend Applications" on their site.

 

 

POST ../api/oauth2/token
content-type x-www-form-urlencoded

{
refresh_token: “Gcp7!IAAAABh4eI8DgkxRyGGyHPLLOz3y9Ss …”,
grant_type: “refresh_token”,
client_id: “b81cc4de-d192-400e-bcb4-09254394c52a”,
client_secret: “n3G7KAhcv8OH”,
}

 

 

Don't forget to save the new refresh token back to Key Vault.  Subsequent calls to your custom connector for data should include the bearer token in an authorization header.   Flow will pass the token to the connector.

Key: authorization  Value: Bearer AAEAAGxWulSxg7ZT-MPQMWOqQmssMzGa…

 

Knots
Frequent Visitor

Thanks for the response.

Regarding the flow to refresh access tokens:

  1. As the connection for this API no longer has any security defined, how would the user initially authenticate?
  2. Isn't this simply a bug in the Power Apps connections? It feels wrong to "write custom code", i.e. a flow, to refresh an authentication token, right?
Anonymous
Not applicable

1.  If this is intended as a backend service, the goal is to keep it running without user intervention.  Since you've already authenticated, you should be able to run indefinitely.  If you do need an initial authentication, you could compose that in another custom action.  You could put it into a try/catch where you try the refresh token, and reauthenticate on failure.

 

2.  This is a 3rd party API, so getting Microsoft to troubleshoot it for you may be sketchy.  It MAY be an issue with the custom connector, but more likely Exact Online is doing something noncompliant. 

 

You may have better success with asking Exact Online to troubleshoot it.  It is to their benefit to play well with Microsoft tools.  I created a custom connector for another 3rd party API, who later added their own Flow connector.  Long story short, theirs broke last week because Microsoft tightened up their specs on the JSON object, so I'm very grateful I'm still using my custom one.  It may be "wrong", but necessary in order to keep production services running.

Anonymous
Not applicable

1.  If this is intended as a backend service, the goal is to keep it running without user intervention.  Since you've already authenticated, you should be able to run indefinitely.  If you do need an initial authentication, you could compose that in another custom action.  You could put it into a try/catch where you try the refresh token, and reauthenticate on failure.

 

2.  This is a 3rd party API, so getting Microsoft to troubleshoot it for you may be sketchy.  It MAY be an issue with the custom connector, but more likely Exact Online is doing something noncompliant. 

 

You may have better success with asking Exact Online to troubleshoot it.  It is to their benefit to play well with Microsoft tools.  I created a custom connector for another 3rd party API, who later added their own Flow connector.  Long story short, the 3rd party Flow connector broke last week because Microsoft tightened up their specs on the JSON object, so I'm very grateful I'm still using my custom one.  It may be "wrong", but necessary in order to keep production services running.

JOAS_Niels
Helper I
Helper I

Hi @Knots ,

 

Did you find a solution? I'm also trying to make a custom connector for the Exact Online API.

 

Thanks!

It is quite challenging to work around the old refresh token used issue of Exact Online. It was introduced in 2019, but only for some apps. Most apps received an exemption, but that is no longer possible. In Dutch you can find some background on https://forums.invantive.com/t/exact-online-foutmelding-old-refresh-token-used/1427.

 

A recent change includes that the refresh token handed out is not yet activated; it is activated on the first call. Otherwise, the previous valid refresh token remains the starting point for the single instance chain.

 

Things are getting worse since the implementation has some technical issues breaking the chain. A change is currently rolling out (already live in UK, DE, FR, ES and BE) that requires minimum interval between two access token and associated refresh token refreshes. Also, the lifetime of an unused refresh token is being reduced to 30 days.

 

I recommend writing a little proxy that does the heavy lifting and not relying on the apps stack. Exact is the sole vendor I know of that has such challenging security requirements in place using Code Grant Flow. Atlassian and some others are reducing lifetime slowly, but a single instance validity is nowhere else to be found. Even with a proxy (we offer Invantive Cloud as a proxy) it can be quite challenging.

 

Another alternative is to use a separate hosted environment to load data into a data platform such as an Elastic Pool (check license conditions).

 

Final alternative is to use Implicit Grant Flow only and automatically calculate the verification code from the TOTP-secret.

Hi @guido ,

 

Thanks for the information. Do you mean it is possible to use Invantive Cloud as proxy between Exact Online and Power Automate?

guido
New Member

Maybe, never tested it. It is mainly used for Power BI, Power Query and ADF. Some use it with Google Functions.

I meant to state that it is maybe wiser to write and introduce a separate component between Microsoft and Exact which does the heavy lifting. The recent changes of Exact and deviations from common standards make it quite hard and expensive with most connecting platforms to directly connect and keep it running at a serious scale. A proxy can handle these issues such as semaphores more gracefully, whether written in some serverless-code or plain old website / service.

Thanks for your answer. Writing a proxy is probably a bit over my head. I would have to dig into that. Quite annoying what Exact is doing...

guido
New Member

Yes, creating a proxy from scratch can be quite time-consuming, but maybe some library is available like picqer for the outgoing part to exact.

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Community Connections 768x460.jpg

Community & How To Videos

Check out the new Power Platform Community Connections gallery!

M365 768x460.jpg

Microsoft 365 Collaboration Conference | December 7–9, 2021

Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.

Top Solution Authors
Users online (1,729)