cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Knots
Frequent Visitor

Custom Connector - OAuth2 - Old refresh token used

We've created a custom connector for Exact Online, but are having issues with the access tokens. Everything works, but at some point the connection states it "Can't sign in" and you'll need to fix the connection before you can use it again. When checking the detail of that connection, it states:

 

 

 

Failed to refresh access token for service: oauth2. Correlation Id=..., UTC TimeStamp=..., Error: OAuth 2 access token refresh failed. Client ID and secret sent in form body.. Response status code=Unauthorized. Response body: {"error":"unauthorized_client","error_description":"Old refresh token used."}

 

 

 


The authentication type of the custom component is set to OAuth2. The identity provider is the Generic OAuth2 one. It uses the "Authorization Code" flow. We've tried the "Implicit" one as well to no avail.

 

Since the connection works initially, the authorization and token URL seem to be correct. We can authenticate and use the connection in an, e.g. Canvas App.
According to the documentation, the refresh URL is the same as the token URL:

 

 

 

../api/oauth2/token

 

 

 


If the token would expire once a month or so, I could live with it, but the token expires after just 10 minutes...

Can anyone tell me why an old refresh token is used? Is the token simply not updated after refreshing it? Is it refreshing multiple times simultaneously, in which case the second call probably results in the error?

What am I missing?

 

edit: added additional information regarding the authentication method.

4 REPLIES 4
Steveo1
Advocate I
Advocate I

I would either reach out and see if they have a configurable token lifetime, or rework the custom connector to not use the preconfigured OAuth security tab.  You will still do OAuth 2, you will just handle the refresh calls yourself like the example below.  Flow would need to store the last refresh token, clientID and clientSecret in a secure location like Azure Key Vault.  This is what is recommended for "Backend Applications" on their site.

 

 

POST ../api/oauth2/token
content-type x-www-form-urlencoded

{
refresh_token: “Gcp7!IAAAABh4eI8DgkxRyGGyHPLLOz3y9Ss …”,
grant_type: “refresh_token”,
client_id: “b81cc4de-d192-400e-bcb4-09254394c52a”,
client_secret: “n3G7KAhcv8OH”,
}

 

 

Don't forget to save the new refresh token back to Key Vault.  Subsequent calls to your custom connector for data should include the bearer token in an authorization header.   Flow will pass the token to the connector.

Key: authorization  Value: Bearer AAEAAGxWulSxg7ZT-MPQMWOqQmssMzGa…

 

Knots
Frequent Visitor

Thanks for the response.

Regarding the flow to refresh access tokens:

  1. As the connection for this API no longer has any security defined, how would the user initially authenticate?
  2. Isn't this simply a bug in the Power Apps connections? It feels wrong to "write custom code", i.e. a flow, to refresh an authentication token, right?
Steveo1
Advocate I
Advocate I

1.  If this is intended as a backend service, the goal is to keep it running without user intervention.  Since you've already authenticated, you should be able to run indefinitely.  If you do need an initial authentication, you could compose that in another custom action.  You could put it into a try/catch where you try the refresh token, and reauthenticate on failure.

 

2.  This is a 3rd party API, so getting Microsoft to troubleshoot it for you may be sketchy.  It MAY be an issue with the custom connector, but more likely Exact Online is doing something noncompliant. 

 

You may have better success with asking Exact Online to troubleshoot it.  It is to their benefit to play well with Microsoft tools.  I created a custom connector for another 3rd party API, who later added their own Flow connector.  Long story short, theirs broke last week because Microsoft tightened up their specs on the JSON object, so I'm very grateful I'm still using my custom one.  It may be "wrong", but necessary in order to keep production services running.

Steveo1
Advocate I
Advocate I

1.  If this is intended as a backend service, the goal is to keep it running without user intervention.  Since you've already authenticated, you should be able to run indefinitely.  If you do need an initial authentication, you could compose that in another custom action.  You could put it into a try/catch where you try the refresh token, and reauthenticate on failure.

 

2.  This is a 3rd party API, so getting Microsoft to troubleshoot it for you may be sketchy.  It MAY be an issue with the custom connector, but more likely Exact Online is doing something noncompliant. 

 

You may have better success with asking Exact Online to troubleshoot it.  It is to their benefit to play well with Microsoft tools.  I created a custom connector for another 3rd party API, who later added their own Flow connector.  Long story short, the 3rd party Flow connector broke last week because Microsoft tightened up their specs on the JSON object, so I'm very grateful I'm still using my custom one.  It may be "wrong", but necessary in order to keep production services running.

Helpful resources

Announcements
MPA User Group

Welcome to the User Group Public Preview

Check out new user group experience and if you are a leader please create your group

MSFTBizAppsLaunchEvent

Experience what’s next for Power Virtual Agents

See the latest Power Automate innovations, updates, and demos from the Microsoft Business Applications Launch Event.

New Super Users

Meet the Power Automate Super Users!

Many congratulations to the Season 1 2021 Flownaut Crew!

Power Platform ISV STudio

Power Platform ISV Studio

ISV Studio is the go-to Power Platform destination for ISV’s to monitor & manage applications post-AppSource publish.

Users online (39,794)