User's OIDC access token is not refreshed

RoseRey · January 6, 2023, 12:20am

We are using OpenID Connect SSO with Azure AD to authenticate users for Retool. We are passing back the same access token that Retool uses for SSO in order to authenticate to our REST Api, using %USER_OAUTH2_ACCESS_TOKEN%, as documented here:
https://docs.retool.com/docs/sso-generic-openid-provider#using-the-jwts-obtained-from-the-auth-flow-in-resources

Our REST API successfully accepts the token provided when the user initially authenticates into Retool.

However, if a user returns to the Retool browser window after a couple of hours, our API returns 401 errors because the token has expired. When examining the current_user global in Retool, the accessToken also shows as expired (the value of exp is in the past). This makes it seem that Retool is not refreshing the access token, even though the documentation linked above seems to indicate that Retool will refresh the tokens automatically.

Setting CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES did not make a difference. Are we correct in expecting the tokens to be automatically refreshed or is there any other configuration that we are missing to enable a new valid access token to be sent with our API calls? We are running Retool version 2.103.7.

Thank you.

Kabirdas · January 7, 2023, 12:49am

Hey @RoseRey!

It looks as though you have everything configured correctly thus far. It may help if we can see your container logs to check for any errors that may be occurring during the refresh flow

RoseRey · January 17, 2023, 4:30pm

Thank you for the response; you got us on the right track.

Looking at the logs, we found several messages saying

[oauth2sso] No refresh token found, skipping refresh

It turns out that we were missing a scope for Azure. We needed to add offline_access to the environment variable

CUSTOM_OAUTH2_SSO_SCOPES=openid profile email offline_access api://CLIENTIDGUID/Admin.Read

We are no longer getting 401s on our API calls.