cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Knots
Frequent Visitor

Custom Connector - OAuth2 - Old refresh token used

We've created a custom connector for Exact Online, but are having issues with the access tokens. Everything works, but at some point the connection states it "Can't sign in" and you'll need to fix the connection before you can use it again. When checking the detail of that connection, it states:

 

 

 

Failed to refresh access token for service: oauth2. Correlation Id=..., UTC TimeStamp=..., Error: OAuth 2 access token refresh failed. Client ID and secret sent in form body.. Response status code=Unauthorized. Response body: {"error":"unauthorized_client","error_description":"Old refresh token used."}

 

 

 


The authentication type of the custom component is set to OAuth2. The identity provider is the Generic OAuth2 one. It uses the "Authorization Code" flow. We've tried the "Implicit" one as well to no avail.

 

Since the connection works initially, the authorization and token URL seem to be correct. We can authenticate and use the connection in an, e.g. Canvas App.
According to the documentation, the refresh URL is the same as the token URL:

 

 

 

../api/oauth2/token

 

 

 


If the token would expire once a month or so, I could live with it, but the token expires after just 10 minutes...

Can anyone tell me why an old refresh token is used? Is the token simply not updated after refreshing it? Is it refreshing multiple times simultaneously, in which case the second call probably results in the error?

What am I missing?

 

edit: added additional information regarding the authentication method.

50 REPLIES 50

The documentation says that with each refresh, a new acces code is generated:

Knowledge Base - Step 4. Obtain new access tokens (exactonline.com)

Yes, I meant the refresh token. The custom connector seems to be refreshing the access token correctly (if using only one connection), but apparently does not refresh the refresh token (correctly). That's my interpretation, because the refresh token becomes invalid after a month.

In that scenario, you still need to store the new refresh token that has just been "manually" refreshed somewhere inside Power Platform's connection settings. 

Yep, and that's not possible as far as I know. And that leads as back to building a custom proxy, unfortunately. 

DerekH_AU
Frequent Visitor

A couple of ways I have gotten around authentication issues (albeit not for an oauth issue that the platform should be handling, but power automate is pretty rigid in its implementation of oauth, or their interpretation of the standard)...

Doing a poll/keep alive, even just a list records or some other ping on the connection (in my case the token was only valid for 60 mins, but the refresh tokens were valid for much longer so getting my reference data every 24 hours was enough).

For a different type of auth, I configured all my requests to include an extra header parameter which allowed me to pass through the required auth token. I used the new custom connector code to modify the request to change that value to the required auth header for the request. You'd still need to manage getting/refreshing the token (likely by custom code in the connector for a custom request), and store the token somewhere (or pass it back out with each response so it can be saved if changed) and then pass it through on each request. Obviously this isn't ideal as it exposes the token to anyone that can see the flow, although you can mark the inputs/outputs as secret so it obfuscates them. This might be better/easier than doing a full proxy on azure.

I don't recall the issue back when I added to this thread but from memory mine was just a symptom of another issue like an incorrect refresh URL (and it was connecting to a different 3rd party service).

 

I don't know and have never used the Exact API you guys are referring to, but power automate might also struggle with their rule around not being able to request a new token before the existing token is at least 9 mins and 30 seconds old. The refresh token is valid for 30 days, so it should be able to refresh that within the 30 day window. This part is very similar to the API I am calling, and it does manage to handle getting the refresh tokens. If you haven't already, it might be worth reaching out to both Microsoft Support and Exact support to see if you can work out why they are expiring. I did log my issue and that did somewhat help point me in the direction to resolve my issue.

 

Also just confirm when setting up the auth you are using /api/oauth2/auth for your authorisation URL and /api/oauth2/token for both your Token and Refresh URLs, because I have a feeling that was why mine weren't refreshing (the wrong URLs).

 

Hope that helps and good luck.

Hi @DerekH_AU,

 

Thanks for the extensive reply. Could you show an example of how the custom code works in the custom connector? I'm not familiar with it.

Didn't think about the possibility for using a connector code but if that gives the possibility to get an access token from an Azure Key Vault, which may be refreshed by an external application, that might be exactly what I'm looking for!

 

Thank you so much for your input!

Got it 😎

 

 

using System.Net.Http;
using System.Threading.Tasks;
using Microsoft.Azure.WebJobs.Host;
using Newtonsoft.Json.Linq;

public class Script : ScriptBase
{
    public override async Task<HttpResponseMessage> ExecuteAsync()
    {
        // Log instance ophalen
        var log = this.Context.Logger;

        // Verwijder de bestaande Authorization header
        this.Context.Request.Headers.Remove("Authorization");

        // URL van de GET API
        string apiUrl = "https://prod-208.westeurope.logic.azure.com:443/workflows/[....]";

        // Maak een nieuwe HttpRequestMessage voor de API-aanroep
        var tokenRequest = new HttpRequestMessage(HttpMethod.Get, apiUrl);

        // Voer het GET-verzoek uit via Context.SendAsync
        var tokenResponse = await this.Context.SendAsync(
            request: tokenRequest,
            cancellationToken: this.CancellationToken).ConfigureAwait(false);

        // Controleer of het verzoek succesvol was
        if (tokenResponse.IsSuccessStatusCode)
        {
            // Lees de inhoud van de respons
            string tokenContent = await tokenResponse.Content.ReadAsStringAsync();
            var token = tokenContent.ToString();

            // Voeg de nieuwe Authorization header toe
            this.Context.Request.Headers.Add("Authorization", "Bearer " + token);

            // Log de Authorization header
            log.LogInformation("Authorization header set to: Bearer " + token);
        }
        else
        {
            // Log een foutmelding als het verzoek niet succesvol was
            log.LogError($"Failed to make GET request. Status code: {tokenResponse.StatusCode}");
            return new HttpResponseMessage(System.Net.HttpStatusCode.InternalServerError)
            {
                Content = new StringContent("Failed to retrieve token.")
            };
        }

        // Log alle headers
        foreach (var header in this.Context.Request.Headers)
        {
            var headerValue = string.Join(", ", header.Value);
            log.LogInformation($"Header: {header.Key} = {headerValue}");
        }

        // Stuur het aangepaste verzoek door en verkrijg de respons
        var response = await this.Context.SendAsync(
                request: this.Context.Request,
                cancellationToken: this.CancellationToken)
            .ConfigureAwait(false);
        
        return response;
    }
}

 

This custom code makes a get request that retrieves the actual access token. The authentication type of the custom connector is changed to "No authentication".

 

Obviously, an additional setup is needed to refresh and store access tokens each 10 minutes.

Very interesting! But how do you do the initial login then, via the custom connector you already had? Keep us posted!

I have a separate Azure Functions that I already created as a proxy for webhooks from Exact Online, as the custom connector cannot handle webhooks directly from Exact Online (for some reason I don't remember anymore). I extend this function to store access tokens and refresh tokens in the Key Vault and repeat this action every 9:30 minutes.

ah ok. I also tried webhooks, but it indeed doesn't work with the custom connector. The connector requires an additional header I believe, which Exact doesn't provide.

 

My options are very limited, because I don't have a Power Apps subscription (yet). It is not feasible for us yet.

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Community MembersNumber SolutionsSuper UsersNumber Solutions Deenuji 9 @NathanAlvares24  17 @Anil_g  7 @ManishSolanki  13 @eetuRobo  5 @David_MA  10 @VishnuReddy1997  5 @SpongYe  9JhonatanOB19932 (tie) @Nived_Nambiar  8 @maltie  2 (tie)   @PA-Noob  2 (tie)   @LukeMcG  2 (tie)   @tgut03  2 (tie)       Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 2: Community MembersSolutionsSuper UsersSolutionsPower Automate  @Deenuji  12@ManishSolanki 19 @Anil_g  10 @NathanAlvares24  17 @VishnuReddy1997  6 @Expiscornovus  10 @Tjan  5 @Nived_Nambiar  10 @eetuRobo  3 @SudeepGhatakNZ 8     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 3:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji32ManishSolanki55VishnuReddy199724NathanAlvares2444Anil_g22SudeepGhatakNZ40eetuRobo18Nived_Nambiar28Tjan8David_MA22   Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 4:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji11FLMike31Sayan11ManishSolanki16VishnuReddy199710creativeopinion14Akshansh-Sharma3SudeepGhatakNZ7claudiovc2CFernandes5 misc2Nived_Nambiar5 Usernametwice232rzaneti5 eetuRobo2   Anil_g2   SharonS2  

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Top Solution Authors
Users online (2,490)