Datasources don't refresh OAuth token

Joe_Alcorn · October 15, 2024, 9:12pm

I have a couple of data sources setup using OAuth2 Client Credentials Flow.
I can connect them just fine (I see “Access authorized” in the data source settings), and use them in an app. However, when the auth token expires, it doesn’t appear that the refresh token is used to get a new auth token. Apps using these datasources start displaying errors statting “Datasource authentication failed”.

I have to go update the data source, and click “reconnect your account” and save before I can use that data source in an app again.

I have looked in the audit logs, and other than the errors my actions are encountering in the apps, I am not seeing any correlated log entries.

spherebread · October 16, 2024, 1:11pm

Hi @Joe_Alcorn,

Thanks for reaching out!
In normal-case scenario UI Bakery automatically refreshes your token according to refresh_token and expiresIn from first retrieved token. Otherwise datasource container will throw an error Token is not refreshable. tokenId=.

Could you please do the steps below and check?

Send a request to your API via Postman/curl/etc and check if your token contains refresh_token and expiresIn claims;
Get logs of your datasource container (via docker logs datasource) and check if there are Token is not refreshable messages.

Joe_Alcorn · October 16, 2024, 3:58pm

Postman does show the refresh_token and expiresIn claims.

As far as showing the logs of the datasource container, I am using the SaaS version of the platform, so I don’t think I can look at the container logs.

spherebread · October 17, 2024, 2:49pm

Alrighty! May I clarify two more things?

What API service do you use?
Could you check “Show my token” current value in the Data Source settings?

image2502×988 215 KB

Joe_Alcorn · October 17, 2024, 3:20pm

Absolutely. The API service is OneLogin’s API (here are their docs).

For the “Show my token” value: Here is what I pulled from it just now:

{"accessToken":"<should be expired, but redacted anyway>","idToken":null,"refreshToken":"<redacted>","expiresIn":36000,"scope":null,"tokenType":"bearer","username":null,"issuedAt":"2024-10-16T21:09:52.000+00:00","refreshExpiresIn":null}

spherebread · October 18, 2024, 2:49pm

Interesting! Thanks for checking. I passed this thing to the dev team for further debugging (T-7718 for reference). We’ll get back to you next week!

spherebread · October 25, 2024, 9:43am

Hey @Joe_Alcorn,

I was able to find a root cause! OneLogin deprecated refresh_token for client_credentials according to RFC 6749.
As refresh token is still presented in token — UI Bakery is trying to use it and fails…

We’ll align our Client Credentials flow with RFC in next releases, stay tuned!

Thanks for your report

Joe_Alcorn · October 28, 2024, 2:47pm

Ha! Now that you say that I vaguely remember them announcing that a few years ago. Thanks for keeping on this.

spherebread · November 1, 2024, 12:47pm

Fixed in 3.105.0!
Could you please check on your end?

Joe_Alcorn · November 1, 2024, 7:51pm

And it works as expected. Count this one as solved!