Re: Custom Connector - OAuth2 - Old refresh token ... - Page 3

Knots · ‎02-10-2021

We've created a custom connector for Exact Online, but are having issues with the access tokens. Everything works, but at some point the connection states it "Can't sign in" and you'll need to fix the connection before you can use it again. When checking the detail of that connection, it states:

Failed to refresh access token for service: oauth2. Correlation Id=..., UTC TimeStamp=..., Error: OAuth 2 access token refresh failed. Client ID and secret sent in form body.. Response status code=Unauthorized. Response body: {"error":"unauthorized_client","error_description":"Old refresh token used."}

The authentication type of the custom component is set to OAuth2. The identity provider is the Generic OAuth2 one. It uses the "Authorization Code" flow. We've tried the "Implicit" one as well to no avail.

Since the connection works initially, the authorization and token URL seem to be correct. We can authenticate and use the connection in an, e.g. Canvas App.
According to the documentation, the refresh URL is the same as the token URL:

../api/oauth2/token

If the token would expire once a month or so, I could live with it, but the token expires after just 10 minutes...

Can anyone tell me why an old refresh token is used? Is the token simply not updated after refreshing it? Is it refreshing multiple times simultaneously, in which case the second call probably results in the error?

What am I missing?

edit: added additional information regarding the authentication method.

Piebe_Post · ‎05-27-2024

The documentation says that with each refresh, a new acces code is generated:

Knowledge Base - Step 4. Obtain new access tokens (exactonline.com)

JOAS_Niels · ‎05-28-2024

Yes, I meant the refresh token. The custom connector seems to be refreshing the access token correctly (if using only one connection), but apparently does not refresh the refresh token (correctly). That's my interpretation, because the refresh token becomes invalid after a month.

Piebe_Post · ‎05-28-2024

In that scenario, you still need to store the new refresh token that has just been "manually" refreshed somewhere inside Power Platform's connection settings.

JOAS_Niels · ‎05-28-2024

Yep, and that's not possible as far as I know. And that leads as back to building a custom proxy, unfortunately.

DerekH_AU · ‎05-28-2024

A couple of ways I have gotten around authentication issues (albeit not for an oauth issue that the platform should be handling, but power automate is pretty rigid in its implementation of oauth, or their interpretation of the standard)...

Doing a poll/keep alive, even just a list records or some other ping on the connection (in my case the token was only valid for 60 mins, but the refresh tokens were valid for much longer so getting my reference data every 24 hours was enough).

For a different type of auth, I configured all my requests to include an extra header parameter which allowed me to pass through the required auth token. I used the new custom connector code to modify the request to change that value to the required auth header for the request. You'd still need to manage getting/refreshing the token (likely by custom code in the connector for a custom request), and store the token somewhere (or pass it back out with each response so it can be saved if changed) and then pass it through on each request. Obviously this isn't ideal as it exposes the token to anyone that can see the flow, although you can mark the inputs/outputs as secret so it obfuscates them. This might be better/easier than doing a full proxy on azure.

I don't recall the issue back when I added to this thread but from memory mine was just a symptom of another issue like an incorrect refresh URL (and it was connecting to a different 3rd party service).

I don't know and have never used the Exact API you guys are referring to, but power automate might also struggle with their rule around not being able to request a new token before the existing token is at least 9 mins and 30 seconds old. The refresh token is valid for 30 days, so it should be able to refresh that within the 30 day window. This part is very similar to the API I am calling, and it does manage to handle getting the refresh tokens. If you haven't already, it might be worth reaching out to both Microsoft Support and Exact support to see if you can work out why they are expiring. I did log my issue and that did somewhat help point me in the direction to resolve my issue.

Also just confirm when setting up the auth you are using /api/oauth2/auth for your authorisation URL and /api/oauth2/token for both your Token and Refresh URLs, because I have a feeling that was why mine weren't refreshing (the wrong URLs).

Hope that helps and good luck.

JOAS_Niels · ‎05-28-2024

Hi @DerekH_AU,

Thanks for the extensive reply. Could you show an example of how the custom code works in the custom connector? I'm not familiar with it.

Piebe_Post · ‎05-28-2024

Didn't think about the possibility for using a connector code but if that gives the possibility to get an access token from an Azure Key Vault, which may be refreshed by an external application, that might be exactly what I'm looking for!

Thank you so much for your input!

Piebe_Post · ‎06-03-2024

Got it 😎

using System.Net.Http;
using System.Threading.Tasks;
using Microsoft.Azure.WebJobs.Host;
using Newtonsoft.Json.Linq;

public class Script : ScriptBase
{
    public override async Task<HttpResponseMessage> ExecuteAsync()
    {
        // Log instance ophalen
        var log = this.Context.Logger;

        // Verwijder de bestaande Authorization header
        this.Context.Request.Headers.Remove("Authorization");

        // URL van de GET API
        string apiUrl = "https://prod-208.westeurope.logic.azure.com:443/workflows/[....]";

        // Maak een nieuwe HttpRequestMessage voor de API-aanroep
        var tokenRequest = new HttpRequestMessage(HttpMethod.Get, apiUrl);

        // Voer het GET-verzoek uit via Context.SendAsync
        var tokenResponse = await this.Context.SendAsync(
            request: tokenRequest,
            cancellationToken: this.CancellationToken).ConfigureAwait(false);

        // Controleer of het verzoek succesvol was
        if (tokenResponse.IsSuccessStatusCode)
        {
            // Lees de inhoud van de respons
            string tokenContent = await tokenResponse.Content.ReadAsStringAsync();
            var token = tokenContent.ToString();

            // Voeg de nieuwe Authorization header toe
            this.Context.Request.Headers.Add("Authorization", "Bearer " + token);

            // Log de Authorization header
            log.LogInformation("Authorization header set to: Bearer " + token);
        }
        else
        {
            // Log een foutmelding als het verzoek niet succesvol was
            log.LogError($"Failed to make GET request. Status code: {tokenResponse.StatusCode}");
            return new HttpResponseMessage(System.Net.HttpStatusCode.InternalServerError)
            {
                Content = new StringContent("Failed to retrieve token.")
            };
        }

        // Log alle headers
        foreach (var header in this.Context.Request.Headers)
        {
            var headerValue = string.Join(", ", header.Value);
            log.LogInformation($"Header: {header.Key} = {headerValue}");
        }

        // Stuur het aangepaste verzoek door en verkrijg de respons
        var response = await this.Context.SendAsync(
                request: this.Context.Request,
                cancellationToken: this.CancellationToken)
            .ConfigureAwait(false);
        
        return response;
    }
}

This custom code makes a get request that retrieves the actual access token. The authentication type of the custom connector is changed to "No authentication".

Obviously, an additional setup is needed to refresh and store access tokens each 10 minutes.

JOAS_Niels · ‎06-03-2024

Very interesting! But how do you do the initial login then, via the custom connector you already had? Keep us posted!

Piebe_Post · ‎06-04-2024

I have a separate Azure Functions that I already created as a proxy for webhooks from Exact Online, as the custom connector cannot handle webhooks directly from Exact Online (for some reason I don't remember anymore). I extend this function to store access tokens and refresh tokens in the Key Vault and repeat this action every 9:30 minutes.

JOAS_Niels · ‎06-05-2024

ah ok. I also tried webhooks, but it indeed doesn't work with the custom connector. The connector requires an additional header I believe, which Exact doesn't provide.

My options are very limited, because I don't have a Power Apps subscription (yet). It is not feasible for us yet.