-
Goal: OAuth2 with Client Credentials Flow uses new token after expiration (instead of continuing to send the expired token to my API)
-
Steps: I have tried adjusting the access token lifespan on the connection details in Retool to a shorter value, logging-out and in again (didn't expect that to work, but why not).
-
Details: Retool is successfully passing the JWT in my
authorizationheader, but on my API side the verification of the JWT says that theexpiredAttimestamp is in the past. This is using the client credentials flow, and my understanding is that Retool should just request a new token. I'm unable to find a way to refresh a token using the client credentials flow.
Hi @Daniel_Clarke!
I can't even get the client credentials flow to work at all! I think I have everything set up correctly, but do not think the token is being set in the header. Do you mind sharing some screenshots of your API configuration?
I have some screenshots of my setup in this post: OAuth 2.0 Client Credentials Flow
For the time being, I am working around it by calling for a token refresh periodically and setting it as a variable in my header (just skipping OAuth completely)
Set my authentication token retrieval to run periodically... After it runs I save the token to a variable
Reference the variable in subsequent calls
Hey @Daniel_Clarke, if you Enable an auth verification endpoint on the resource, do you notice any difference? A 200 response from that endpoint should indicate that the token is valid, anything else should trigger the auth flow again to retrieve a new token. Let me know if that gives you any different behavior.
@Jessica_D I'll take a look at your other post now as well.
Hey @Daniel_Clarke, can you also share what IDP you are using to auth against? Thanks!
Dan Clarke and I work on the same system. I just found this forum post after googling a similar problem - that the JWT wasn't regenerating when I changed Client Credentials configurations such as the client ID and secret.
Clicking Enable an auth verification endpoint doesn't help at all. It seems to return success even if I configure it with nonsense values. I'm not sure what this option is for when we already have the "Test Connection" feature (which was failing at the same time as the "Check authentication status using current credentials" button was passing).
I suspect Dan stopped replying because retool does eventually fetch a new JWT, in a few hours or days.
Hey @Luke_Bryant - I just noticed your addition to this topic. Thanks for your patience!
What kind of resource are you authenticating? And do you have a specific follow-up question that I might be able to answer?
In general, it does look like the auth verification endpoint may not be compatible with OAuth2 when using a client credentials flow, in particular. This was flagged to the team just recently, but I'll add your bump and provide an update here as soon as I have news to share. 