OAuth2 Refresh Tokens

Is there a "magic" placeholder for the OAuth2 refresh token? Retool Docs say that the REST API will automatically use the refresh token when the original token has expired, however this has not been my experience.

I'm presently developing a workflow that runs at an interval and want to ensure that the authentication doesn't expire. The API's documentation provides instruction on how to utilize the refresh token, but have not been successful at creating a query since I don't know how to reference the refresh token to place as a value in the GET operation required by the API.

Hey @samgray1999!

Would you mind sharing a bit more about your resource setup? It would be helpful to see your configuration page just to get a look at all of your settings.

You also mentioned it not being your experience that the REST API automatically uses the refresh token, sorry that it has been inconsistent for you so far. Are you talking specifically about the resource you're looking to use in the workflow or is it more of a general observation?

Here is a screencap of my resource config

In an attempt to keep token from expiring I created a loop GET call to the resource for something if the primary conditions weren't met, but even with that placing a successful GET with the resource every minute, the token still expired.

My workflow is setup to check an S3 bucket every minute and minute for a specific CSV file and if it finds it, it converts it to JSON and then calls my resource via a POST. Everything works except that the token expires and I'm required to reauthenticate with the API before the workflow resume as configured. My goal is to allow the flow to run continuously without having to re-authenticate with the API.

Thanks for sharing that! Taking a quick look at the backend it looks like the refresh request is failing because of an invalid_grant error. Retool should automatically set the grant_type url parameter to authorization_code on the initial token request and to refresh_token on subsequent refresh requests, so you might try removing that parameter from your Access Token URL.

Does that work?

(You may also want to remove the redirect_uri parameter from your Authorization URL)

Thanks! I'll give it a try. I will know for sure if it works by tomorrow if the flow continues uninterrupted.

@Kabirdas Even with the changes you suggested it appears that my token has expired. Again, I have a "keep alive" GET call that is made every minute unless the flow finds the CSV file in my S3 bucket to convert to JSON and make the POST call, however it appears that even in-combination with the suggested changes to my API resource config the token has expired. Is there a "magic" placeholder for the refresh token I can just use and build into my workflow?

Hmm... as long as you're using the preconfigured OAuth 2.0 setup the refresh flow isn't configurable. It is possible to do using custom auth in which case you can define both the refresh flow that should be executed and set your own magic variables for each token that's returned. That can take some extra configuration though.

I'm still seeing the same invalid_grant error on our end - would you mind if I step into your org and take a closer look at your setup?

@Kabirdas So I created a custom API resource and so far it looks promising. I authenticated and then tried the "Test refresh auth workflow" and that came back successful. Can you verify on your end that call is good?

UPDATE 3/24/23 12:33PM
Well, poop. Not sure if the generic OAuth 2.0 REST API resource is going to work- I don't see a "Share OAuth 2.0 credentials between users" checkbox anywhere on the resource's settings. Tried adding it to my workflow in-place of my original OAuth 2.0 REST API resource and realized it wasn't going to work without checking that box, but discovered that checkbox isn't there. I switched it back.

You're more than welcome to step into our org and take a look at it and see if you can figure it out.


Did you finally find a solution?

:thinking: Custom Auth does not have the Share OAuth 2.0 credentials between users checkbox, you'd need to use the OAuth2 authentication type to get that. There is no magic variable for the refresh token.

@Floo Are you using the same API (Sharefile) as shown above in this topic and running into issues with refresh? If you can share some more details about what you're running into, folks in the community who may have run into something similar could help! If @samgray1999 happened to have solved the above, would be interested in the solution as well!

1 Like

Oh yes @kbn, I opened another thread about my issue:

1 Like