Hi retool team - I hope all is well. I need a little help trying to understand why the consent screen is no longer popping for my users. I can recreate the issue by revoking my tokens and trying to run a report in my app. I can see in my logs my services returning 401 errors, which is correct, but this is no longer triggering the consent screen prompt. This ends up causing the following error to pop (this is not from my app as far as I can tell).
I'm able to get the screen to pop if I use the testing mechanism in the Rest API resource or the Re-authenticate API button in one of the queries, but not through the normal flow in my app. This seems to have changed recently? I have not touched my Rest API resource in months...
Unfortunately, this error leaves my users dead in the water.
Any help is really appreciated - I'm able to recreate this issue very easily!
As far as I'm aware we haven't made any changes in this workflow, but we definitely want to get this resolved still!
To confirm, are you using the auth login component in your app?
When you say this is happening for your users, are these users logging in to Retool (versus accessing a public app)? Are they using the app in editor mode or preview mode?
No, we are not using the auth login component in the app.
The app is being used in preview mode. My client's users are logging in to retool using the Google Sign-in. I have setup an authorization endpoint.
My understanding of the flow is:
User logs in to retool via Google OAuth2.
User attempts to use REST API resource in some way (let's say a simple GET request) that populates a dropdown or a report.
Request returns a 401 (Unauthorized)
Retool should prompt user re-authorize with consent screen
Retool uses new access token to retry the service using the REST API
I am pretty sure I'm missing pieces - anything you can help fill in is great... I don't know when you query the auth verification endpoint, but I see it happening in my logs...
Hi @joeBumbaca - thanks for your help. The verification endpoint is setup and working - the odd thing is, not all users are having the issue. I can see this endpoint being called by retool in my logs. We have been using the Oauth2 flow with the verification endpoint for 6+ months now without issue, so it's strange... How do I write into the support team? Thanks again!
@joeBumbaca - I actually went through a long thread last summer with @alex-w:
I have not made any changes to the resource since this thread actually and it's all been working fine. It's always possible I made some backend change that has made things break, but I'm struggling to figure out how I could have broken it...
Generally, what I'm seeing is that users will encounter a 401 error for a particular service, then ~1 second later, the exact same request is sent again, but this time it is valid. I'm assuming that when retool encounters the 401 error, you're getting a new access token using the refresh token, making the next request successful. I believe this is why most users are not having issues, because their refresh token is still good and so this flow is not even seen by them. This makes sense to me - let me know if this flow seems correct to you?
What is incorrect is that some users are not getting into this - every request they make is returning a 401 as for whatever reason their refresh token seems to be invalidated. In this scenario, the consent modal should pop and they should re-authenticate and get a new refresh and access token, but that is not happening...
Still having this issue - trying to debug a bit more - in addition, this issue is exacerbated for one user in particular as his tokens are disappearing daily. I checked this morning and the user had all active tokens (after I refreshed them myself) and now they're all completely gone? This is strange, but shouldn't be a big deal if the consent screen was working properly, which unfortunately it still is not... @joeBumbaca Any help you can give is really appreciated!
Hey - closing this out as I figured out the issue was entirely on my end.
For anyone who might see this post though, remember to always check that your auth verification endpoint isn't always returning a 200... sigh...
One other thing to note - while debugging my Oauth2 flow, I learned that retool will call your endpoint even after you've revoked your tokens or have logged out and have no tokens. retool will send through an Authorization header with the Bearer schema prefix, but will send undefined as the token. This was a bit unexpected for me. That's it - sorry for this ridiculous thread!
