OAuth Google Drive connection doesn't have an id-token, and refresh isn't working?

Jeffrey_Yu · August 13, 2024, 1:24am

I've noticed recently that our Google Drive resources suddenly start breaking every 1-2 months. When I re-authenticate with OAuth though through the Retool Re-Authenticate button, it fixes it. I suspect that the authorization keeps expiring, which is causing this issue.

Upon further investigating, it looks like while the access and refresh tokens are being given, the ID token isn't. This is the one discrepancy between my resource and the one documented in this forum post.

In the meantime, I've considered extending the access token lifespan as documented in the same post here. I'm not sure though if that will help though, as it should be a refresh token issue, not access token. My goal is for the authentication to last a full year, and have to re-authenticate on a specific day during our low season, like March 1.

I'm wondering, what's the cause of this authorization breaking? is it the refresh token? id-token? or a combination of both?

Jeffrey_Yu · August 15, 2024, 3:59am

Bump! The authorization just broke again, and I had to re-authenticate. Not sure why it keeps expiring so quickly.

Jeffrey_Yu · August 19, 2024, 3:07pm

Bump! It looks like the authorization just broke again … how can I set it up so the refresh token actually works?

Paulo · August 21, 2024, 9:41pm

Hi @Jeffrey_Yu, happy to help!

What type of resource are we using to connect to Google Drive, is it a REST API Resource?

Jeffrey_Yu · August 21, 2024, 11:46pm

Thanks Paulo! Yes, it is a REST resource. I followed the documentation on the retool website on how to connect to Google with OAuth 2.0, in particular.

Paulo · August 22, 2024, 12:03am

Awesome!

I also don't have the ID token and that shouldn't be an issue:
Screenshot 2024-08-21 at 4.50.27 PM

Now let's do some testing:

Create an app or use an existing one where this Resource is being used. For example, I created an app with one query that gets my Google Drive files:

Note: Keep this tab open and have another tab with your Resource settings.

Revoke the Access token on the Resource settings:

Should look like:

Go back to the app and run the query again. If our setup is correct, it should be successful. If it's not, please share the error that we see.
Go back to the tab with the Resource settings and click the 'Refresh' button:

Screenshot 2024-08-21 at 5.00.51 PM

We should see the Access token there again because of the successful automatic re-authentication:
Screenshot 2024-08-21 at 5.01.49 PM

Jeffrey_Yu · August 22, 2024, 3:57am

Thans for the debugging steps Paulo! I did as you said and everything worked as expected, including step 3 (no error message).

Do you know the lifespan for this refresh token? I'm curious if we can extend it to a full year, or if there's a way we don't need to manually re-authenticate OAuth at all.

Paulo · August 22, 2024, 4:38pm

You are welcome! We can see the expiration time inside the response object, just click 'View in console' and expand the response object:

From Google's forum: "By default, Google Cloud API tokens expire after 1 hour. However, you can request a longer expiration time of up to 12 hours by specifying the "expires_in" parameter when you authenticate."

We do have an advanced setting for the lifespan of the Access token:

I tried changing it to 12h but the response is always coming with a value of 3599 for expires_in. I initially thought this was a bug with Retool, but I found this on the same thread:

If we would like to extend the expiration time to 12h it may be a good idea to keep an eye on that thread. But for your needs of extending it to a year, Google does not support this.

Jeffrey_Yu · August 23, 2024, 3:24am

Hi Paulo,

I can't find the View in console button when I hover over the resource. I tried revoking the access token and refreshing, but I still can't see it even when it says its connected. I also tried clicking on Inspect, but didn't see anything in my console. How can I get the View in console to appear?

Also, is the 3599 for the access token? I believe it's the refresh token lifespan that's important, right? I'm wondering if there's a way to expand that to a year given the way Retool has set up its OAuth.

Jeff

Paulo · August 23, 2024, 5:21pm

We may not see the option to 'View in console' because it's already connected (logs are gone). Just reconnect and we'll see the option:

Before reconnecting:

After reconnecting:
Screenshot 2024-08-23 at 9.38.13 AM

As far as I know, refresh tokens granted by Google don't expire unless one of the following conditions are met:

The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
If an admin set any of the services requested in your app's scopes to Restricted (the error is admin_policy_enforced).
For Google Cloud Platform APIs - the session length set by the admin could have been exceeded.

Source:

Q: Are we sharing credentials between users?

Screenshot 2024-08-23 at 10.20.17 AM