GRPC OAUTH not re-authorizing

  • Goal: Queries that use a GRPC resource should automatically redirect to Google's OAUTH login after the query gets a non-2xx HTTP error code (if it was not authorized, such as in the case where the oauth token expired).

  • Details:
    The issue is that our GRPC Resource in Retool is not properly redirecting to Google when OAUTH tokens have expired. If we manually “Auth” our GRPC resource, it works. Any queries using this resource work properly. Eventually, the Google OAUTH token expires and these queries return a ’not authorized error’ with the expected non-2xx HTTP error code. But Retool doesn’t attempt a re-authorization by redirecting to Google. Instead, the Retool user has to go into Edit mode, to the Query Settings and hit the “Re-Auth” button under the Resource settings— at which point everything works again. We’re currently using “Custom Auth” setting for our GRPC resource but have tried every permutation of settings (including the OAUTH 2.0 setting) and still run into the same exact issue.

We’ve tried using the latest stable version and the previous stable version (3.52.18) and have the same issue. When we tried it in 3.75 stable, the OAUTH 2 and Custom Auth was doing an infinite loop during authorization. In 3.52.18, the same configuration doesn’t do an infinite loop, but does have this re-auth issue.

When we use the ‘Check authentication status using current credentials’ it also works as expected: returns a success when the user is auth’d and returns a non-2xx when the user is not authenticated. So we know that this configuration is working correctly.

Here's a screenshot of what the query looks like when the token is expired. Hitting the re-auth button and loging into oauth with Google will resolve this. But the correct behavior i'm expecting is that when the retool user is viewing the app, if a non-2xx code is returned, it automatically redirects to google to reauth

Hello @kb123!

Apologies for the frustration and thank you for the thorough and highly detailed write up.

This is a known bug on our end unfortunately, but I can attach this thread to the issue which should increase it's weight for our engineering team to take a look at!

I completely agree, it should be simple to have the resource re-auth in users as soon as the query response gives us the details that the only reason it failed is due to an auth token expiring that needs to be refreshed.

I will keep you updated on any news I hear from our team and want to apologize again! You did everything correct and the ball is in our court to get this fixed as soon as we can!