topic Re: Issues with Refresh Token Handling in OAuth 2.0 in Developer

Issues with Refresh Token Handling in OAuth 2.0

Suraj_Ncircle — Tue, 18 Jun 2024 04:08:05 GMT

Hello everyone,

I'm encountering a persistent issue with handling refresh tokens in my custom Power BI connector, and I could use some expert advice.

Problem Description:

I building a custom Power BI connector that uses OAuth 2.0 PKCE for authentication.
The initial access token is retrieved successfully, but I'm running into problems when trying to use the refresh token to obtain a new access token.

Details:

Token and Expiration: Along with the access token, we receive an expiration time and a refresh token.
Long Data Fetch Duration: Fetching data takes more than 1 hour, during which the access token expires, necessitating a new access token.
Refresh Token Request Issue: When attempting to use the refresh token, the refresh request is sent twice in quick succession:
- The first request is successful and returns a new access token.
- The second request fails because it tries to use the same refresh token that was just invalidated by the first successful request.(Checking all the requests in Fiddler)
User Interruption: This issue causes an interruption where a window is displayed asking users to re-enter their credentials while data is being fetched from the API.

Current Implementation:

StartLogin = (resourceUrl, state, display) => let codeVerifier = Text.NewGuid() & Text.NewGuid(), AuthorizeUrl = authorizationUri & "?" & Uri.BuildQueryString( [ client_id = clientId, response_type = "code", code_challenge_method = "plain", scope = scope, code_challenge = codeVerifier, state = state, redirect_uri = callbackUri ] ) in [ LoginUri = AuthorizeUrl, CallbackUri = callbackUri, WindowHeight = 800, WindowWidth = 600, Context = codeVerifier ]; FinishLogin = (context, callbackUri, state) => let Parts = Uri.Parts(callbackUri)[Query] in TokenMethod(Parts[code], "authorization_code", context); TokenMethod = (code, grant_type, optional verifier) => let codeVerifier = if (verifier <> null) then [code_verifier = verifier] else [], codeParameter = if (grant_type = "authorization_code") then [code = code] else [refresh_token = code], query = codeVerifier & codeParameter & [ client_id = clientId, grant_type = grant_type, redirect_uri = callbackUri ], ManualHandlingStatusCodes = {400, 403}, Response = Web.Contents( tokenUri, [ Content = Text.ToBinary(Uri.BuildQueryString(query)), Headers = [ #"Content-type" = "application/x-www-form-urlencoded", #"Accept" = "application/json" ], ManualStatusHandling = ManualHandlingStatusCodes ] ), Parts = Json.Document(Response) in // check for error in response if (Parts[error]? <> null) then error Error.Record(Parts[error], Parts[message]?) else Parts; Refresh = (resourceUrl, refresh_token) => TokenMethod(refresh_token, "refresh_token"); // Data Source Kind description SampleConnector = [ Authentication = [ OAuth = [ StartLogin = StartLogin, FinishLogin = FinishLogin, Refresh = Refresh ] ], Label = "Sample Connector" ];

Re: Issues with Refresh Token Handling in OAuth 2.0

Anonymous — Tue, 18 Jun 2024 05:43:47 GMT

Hi @Suraj_Ncircle ,

It sounds like your custom Power BI connector is struggling with handling the refresh token properly, causing redundant requests and user interruptions. Please ensure that only one refresh token request is issued at a time:

shared Refresh = (resourceUrl, refresh_token) => let // Ensure only one refresh request is in process at a time TokenRefresh = createTokenRefreshFunction(refresh_token), Result = TokenRefresh() in Result; createTokenRefreshFunction = (refresh_token) => let inProgress = false, cachedToken = null, refreshTokenFunction = () => if inProgress then cachedToken else let _ = (inProgress := true), newToken = TokenMethod(refresh_token, "refresh_token"), _ = (cachedToken := newToken), _ = (inProgress := false) in newToken in refreshTokenFunction;

Best Regards

Re: Issues with Refresh Token Handling in OAuth 2.0

apdams — Fri, 05 Jul 2024 09:48:17 GMT

Hi
I have a similar problem and I hope you might be able to help.

I have a custom connector that works. It authenticates to Auth0 and gets a token that expires in 24 hours. The refresh token method also works and the expired token is refreshed.

My problem is that the "refresh_token" itself expires after 7 days and even though my Auth0 is set up to rotate refresh tokens, something is not working there. The refresh token expires and I have to do a manual refresh (re-sign-in to generate a new token) before 7 days in order for the next 7 days of refreshing kicks in.

So, my question is this: what do I need to do to get the rotated refresh token to be used?
The bit about all this that puzzles me is that even though the refresh token rotation is enabled on Auth0, I guess it is not really rotating the refresh token because, if it was, the second attempt to refresh using the old refresh token would fail.

At any rate, the symptoms of what is happening seems to indicate that the refresh token is not rotating and the old refresh token is reused until it expires (in 7 days in my case)
Here is my code if it helps any:

StartLogin = (dataSourcePath, state, display) => let json = Json.Document(dataSourcePath), codeVerifier = Text.NewGuid() & Text.NewGuid(), codeChallenge = Base64UrlEncodeWithoutPadding(Crypto.CreateHash(CryptoAlgorithm.SHA256, Text.ToBinary(codeVerifier, TextEncoding.Ascii))), AuthorizeUrl = json[auth_url] & "?" & Uri.BuildQueryString([ client_id = json[client_id], state = state, redirect_uri = redirect_uri, scope = DataMosaixDefaults[Scope],//json[scope], audience = DataMosaixDefaults[Audience],//json[audience], code_challenge_method = "S256", code_challenge = codeChallenge, response_type = "code"]) in [ LoginUri = AuthorizeUrl, CallbackUri = redirect_uri, WindowHeight = windowHeight, WindowWidth = windowWidth, Context = [code_verifier = codeVerifier] ]; FinishLogin = (clientApplication, dataSourcePath, context, callbackUri, state) => let json = Json.Document(dataSourcePath), Parts = Uri.Parts(callbackUri)[Query] in TokenMethod("authorization_code", json[deployment], Parts[code], json[token_url], json[client_id], context); Refresh = (dataSourcePath, refreshToken, oldCredential) => let json = Json.Document(dataSourcePath), refreshToken = oldCredential[refresh_token], result = TokenMethod("refresh_token", json[deployment], refreshToken, json[token_url], json[client_id]) in result; TokenMethod = (grant_type, deployment, authCode, token_url, client_id, optional context) => let CodeVerifier = if (context <> null) then [code_verifier = context[code_verifier]] else [], Parameters = if (grant_type = "authorization_code") then [ redirect_uri = redirect_uri, code = authCode ] else [ refresh_token = authCode ], Response = Web.Contents(token_url, [ Content = Text.ToBinary(Uri.BuildQueryString([ client_id = client_id, grant_type = grant_type, redirect_uri = redirect_uri] & Parameters & CodeVerifier)), Headers=[#"Content-type" = "application/x-www-form-urlencoded",#"Accept" = "application/json"]]), RefreshToken = if (grant_type = "authorization_code") then [] else [ refresh_token = authCode ], Parts = Json.Document(Response) in Parts;