We have encountered a recurring issue in our application related to session management between AWS and Retool, which affects some users after extended use.
Our application integrates with two separate AWS snowflake accounts, and users are required to authenticate and remain connected to both accounts simultaneously throughout their session. However, we’ve observed that after prolonged usage—typically between 4 to 6 hours—some users are unexpectedly logged out of one of the AWS connections.
When the user attempts to re-authenticate with the disconnected AWS account, they are then logged out of the other account, resulting in a continuous loop. At this point, it becomes impossible for the user to maintain simultaneous authentication with both AWS accounts.
Clearing the browser cache and cookies does not seems to resolve the issue. Users generally wait until the Retool session fully expires before they are able to log back in and reestablish both connections successfully.
We have attached screenshots to help illustrate the issue.
Please let us know if further information is needed or if there are recommended steps we can take to prevent this behavior.
Hi @martinac, welcome to the Community Forum! I see that you mentioned some attached screenshots, but I don't see any attached. If you'd like to post them that could help us figure out the issue.
Are you using OAuth? Since logging into both accounts simultaneously works initially, is there something different you're doing when re-authenticating later?
Please let me know and I'll keep investigating on my end to see if there have been other instances of this behavior on Retool.
Thanks for the additional info! I did some digging and found that this is a bug that's been reported somewhat recently. More specifically, it's been seen in a very similar scenario: when reauthenticating multiple snowflake accounts with OAuth.
From what I've gathered, there doesn't seem to be much of a workaround. Someone with the right permissions can modify the resource config (e.g., change the user role, re-authenticate, and switch back), but I recognize that isn't very feasible. I've heard that in general the issue resolves after 20-30 min.
Luckily, our engineers do have a headstart on solving this issue. I'll be sure to update you in this thread if I hear of a fix!
Hi @martinac, I've been tracking this bug with another customer and it was found that this auth issue was caused by the OAUTH_ISSUE_REFRESH_TOKENS setting being set to False. What happens is there is an access token given when first authenticating but no refresh token given to stay authenticated, so then Retool tries to refresh, fails, and tries again until some connection cache or retry logic times out, and then it can start the process over again with a new access token.
Can you make sure OAUTH_ISSUE_REFRESH_TOKENS = True is set and let me know if that solves it?
