I'm having issues with Custom Auth in my Retool App (Web).
Specifically, the Custom Auth refresh workflow isn't firing when the conditions are met.
I've tried both "Time based expiration" as well as "Login Test URL", and neither seem to work.
I do have "Run this custom auth workflow without prompting the user" checked as well.
I would expect that when a query is triggered from within an app, and its refresh conditions are met, then custom auth would automatically run the refresh workflow, and retry the query with the new credentials.
Atleast that is how the refresh workflow is described in the docs
Here is what happens instead:
When a user first opens the app, we see a popup appear quickly indicating that the custom-auth is authenticating. This popup quickly disappears. This is expected considering I have checked the "Run custom auth without prompting the user"
The User is able to run queries against my resource that uses this custom auth. Again, expected.
When the credential reaches the end of its lifetime, any future queries fail.
In the bottom corner of the window, we are given a yellow warning symbol in the "Powered by retool" footer.
When clicking the warning icon, it brings up the custom authentication modal, and requires the user to click "Authenticate".
Essentially, on page load the custom-auth is triggered automatically, but the refresh workflow is not automatically triggered when previous tokens have expired. If the user were to refresh the page or reload the app, then the refresh/custom-auth seems to work fine, but if the app is already loaded/running when a token expires, the refresh workflow is not automatically triggered.
Am I doing something wrong, or might this be a bug?
Are you able to help here?
Hey Tom! Based on this description, I'd first want to confirm that the refresh flow itself does in fact work. The original authentication flow is working well, but we aren't able to successfully run the refresh flow when it is required. Not sure how much insight you have into the auth server side of things, but would be curious if you are able to see attempts to run that refresh flow?
Happy to troubleshoot. Mind sending screenshots of how you have that custom auth set up? The refresh flow in particular, but the entire setup would be great for all the context.
Hey Joe, Thanks for the reply!
Unfortunately I don't have access to the auth server that is being called.
I'm calling an API provided by a product we subscribe to.
I've tested the refresh flow fairly extensively, and it works correctly when running the "Test refresh auth workflow" button on the resource's setup page.
Some more context:
In the custom auth workflow, I'm essentially authenticating using OAuth 2.0 with a grant_type of "password".
The OAuth 2.0 authentication built in to retool resources doesn't support this grant type, which is why I used custom auth.
The reason I believe that my refresh workflow is successful is that after I have run the regular auth workflow (The non-refresh workflow) I have both a valid access token and refresh token stored in the custom auth workflow variables.
I can then go clear the access token from the variables using "View defined variables" "Revoke".
The only data now stored in the variables is a refresh token.
Now when testing the auth refresh workflow, I am able to successfully get a new (and valid) access token using the stored refresh token.
I can then make requests using the new access token acquired from the refresh flow.
Also of note:
I set my "Auth Trigger" to Time-based expiration, and set the value very low (15 seconds) for testing .
I made a query that pulls data from this resource, and with that data I populate a table in a Retool app.
After waiting 30 seconds, I refresh the table. (Not the entire page, just the table)
At this point I would expect the refresh workflow to take place, since our timer has expired, but it does not.
It's as if the refresh workflow isn't being triggered at all.
I can confirm this by checking the defined variables for the resource, and the "Last updated" time hasn't changed since my initial authentication.
(It should have changed during the refresh)
I have a handful of screenshots that I will send to you via PM.
Thanks for your help, and let me know if there is anything else you need from me to troubleshoot this.
I've done some more testing.
I have proxied the requests to the auth server, effectively giving me visibility in to the authentication requests being sent.
The refresh workflow is not being triggered properly.
According to docs, the refresh flow should automatically run once it receives a non-200 response.
This does not happen.
No refresh request is sent at all when a non-200 response is received in a resource query.
The only way I've been able to trigger a refresh is when doing the following:
- The "Auth Trigger" (Timer-based expiration, Login Test Url) condition is true, meaning that re-auth is required.
(By saying the condition is true, I mean that a timer has expired, or the test url responded with a non-200 response code.
- The entire page/app is reloaded in the browser
At that point, the refresh flow is fired.
If the "Auth Trigger" condition changes from false to true while an app is already open (E.g. A timer expires while the user still has the app open) then the refresh workflow will not trigger.