I’ve got an OAuth Setup record configured. Everything is accurate to my knowledge. I use the login action and it populates my tokens. All good. I can use it for a couple hours to call an external Endpoint. But the access token expires every couple hours and doesn’t appear to refresh on it’s own. Is there another configuration or piece of setup I need to ensure the token is up to date?
Hey Aaron, a couple questions to help narrow down the issue:
- Do you have any scopes defined on your OAuth record?
- Does the OAuth record have a refresh token?
Usually you can send offline_access in the scope field to request refresh tokens from the authorization server. If an OAuth Setup record has a refresh token, it should automatically be used to obtain a new access token when an external callout uses that OAuth record.
Note about scopes: With most authorization servers, if you send empty/no scopes, your access token will have default authorizations. Default authorizations/scopes may be configurable on the authorization server. If you start sending offline_access, you are now asking for a specific scope and may lose the default authorizations given with no scope. It is always safest to request the scopes you know you need authorizations for. Authorization servers can differ in how they treat default scopes, so it is also good to be familiar with your authorization server’s documentation and setup.
If you do have a refresh token and are still seeing this issue, let us know as we may have to investigate what is happening.
I have the following scopes defined.
openid profile offline_access User.Read Mail.Read
The refresh token field contains an encoded value indicated (******)
Following back up here after we investigated internally. The issue was that the OAuth Setup record was configured in the _base tenant, but the integration testing was being done in a non-base tenant. When we try to refresh the OAuth record, we look for it in the tenant where the integration is running. Because it was a _base record, the system didn’t find it and failed to update the record.
For future readers, testing and usage of OAuth Setup configurations must be done in the same tenant the OAuth record was setup in. Or vice versa: the OAuth setup record must be configured in the same tenant where testing will occur.
1 Like