oAuth and refresh tokens

Our main API using Auth0 with oAuth2 for authentication. We have our resources setup successfully and they work well through Retool. Where things get a little wonky is [what I am assuming] when refresh tokens are used to get a new JWT.

When a user comes back to a Retool app which they used, say yesterday, data fetched using oAuth2 doesn't always show up. Refreshing the page once or twice then successfully retrieve the data for this app and any others being using in Retool. There was already an active oAuth session, so no they are not being asked to login again.

To help with this I built a specific app named "oAuth Check - Run first". It's basically two tables which access our main api endpoints used in Retool and load data on app load, assuming the all the auth is ready. This app is now accessed first to ensure all is connecting correctly. If no data shows, refresh the page until it does. It works, but doesn't seem right.

This app works, but doesn't seem right, so I am reaching out to see if perhaps I have something configured incorrectly, or perhaps others have seen this issue and have found a way around it.

Thank you

Hey @brettski :wave: The refresh auth workflow shouldn't need a page refresh to re-auth. Can I ask how the auth is set to trigger? Would you mind sharing screenshots of your auth setup? If you aren't comfortable sharing those screenshots publicly, please do reach out to support through chat or email so we can keep digging :slightly_smiling_face:

Thanks for the reply @lauren.gus. That's a long page, is there a specific section that would be helpful to see?

@brettski The refresh auth workflow section :+1:

This is a GraphQL endpoint and a Refresh auth workflow section does not exist in the configuration. There are General, Authentication, and GraphQL Introspection sections

@brettski Ah got it! If you use custom authentication you should see it:

@lauren.gus I think I understand the disconnect here. I don't think we are on the same page. My Resource is a GraphQL endpoint using oAuth2 authentication. The authentication section is setup like:

There are no settings for refresh tokens from what I can find with oAuth2 (nor that I have seen with other clients/consumers). I and don't see where that screen shot is that you have included.

I found the documentation you are reference here. And based on reading the documentation this doesn't appear to be an option for oAuth2 authentication. Or I should say I don't know how I would setup oAuth2 authentication under the custom authentication section.

Hey @brettski! It looks like using a Custom Auth resource might be helpful here, actually! When you create a Custom Auth resource, you can have an OAuth 2 step and a refresh workflow step to handle the refresh logic in the background. Would something like this be helpful?


I wanted to shine a different light on this. Your approach is so refresh tokens don't need to be requested with a page refresh, correct? The issue I am having is that on the page load (or refresh) we don't always get a new token and need to refresh again. I think the focus should be on why we aren't getting the token on that first page load (or refresh). Or, perhaps this is what you are getting at here?

Thank you for your continued responses, I really appreciate it!

Hmmm, now I'm confused haha. I synced with the team on this one to make sure I had my facts straight, and I confirmed we should be handling your auth refresh in the background. We should only be prompting you to re-auth if the refresh flow fails. I actually have an app I use that's been a little wonky lately. It uses an OAuth2 resource for the Google Calendar API, and used to work fine for days. Never needed re-authing. This past week, I've needed to manually click through the auth flow for my queries to work. I'll check in on this with the PM of the team that works on resources!

Let me know if this sounds similar or different to your current issue :slight_smile:

Yeah that sounds similar. Logging out and authenticating back in to retool always works.
I most commonly have the issue in the morning, first load where it seems a new auth token isn't retrieved as I cannot authenticate into our API. A refresh or two of the screen tries those refreshes again and it will work. I have actually experienced this issue for some time but simply dealt with it.

(Still following this, will write back once I hear back from the eng team re: next steps/things we can look into!)

1 Like

Just verified on a few different recent Cloud versions and the refresh worked! I wonder if this has something to do with your refresh token expiring? For context, Retool can only automatically refresh if ONLY the access token is expired and the refresh token is not. We would need you to go through the auth flow if the refresh token is expired.

I don't believe that is the case as this will happen the next day after a fresh login. I have been at the state of both tokens expiring and the only way for me to get a new token is to logout and back in to ReTool.

Now one condition worth noting is that that oAuth used for our api is the same oAuth used for ReTool. I am not sure if this is similar to your tests.

Thank you for all your time

Another thought. Is there some detailed troubleshooting I can do? E.g. tracing to see what is happening on the Retool side as it goes through the authorization requests, etc.?

We're actually in the middle of some auth work (specifically auth debugging work) that is ready to go live as soon as we fix a couple remaining bugs! I'll sync with the engineer in charge and update you on where we're at with it :slight_smile:

1 Like

The Retool org associated with the email associated with your community account should have the extra API Auth debugging enabled now! Do you see it in your modal popups?

I am not sure where to look. Do you mean lower right corner of the app?

The lower right corner is just the debug panel, basically a console for Retool apps. When you go through your auth flow, depending on the type of auth (only some are available in the new debugging method), you should see a modal pop up in the middle of your screen. This modal allows you to check for different tokens. But if you're not seeing this and your auth is still not working, I'd be happy to step in and take a look to try figuring this out once and for all! Would that be alright with you?

Hi @victoria,

I not see that dialog with refreshes only when one of the oAuth accounts need to be signed into. If I am already signed in, this dialog never shows. I have no issues with you having a look.