Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started

Reply
Suraj_Ncircle
Frequent Visitor

Issues with Refresh Token Handling in OAuth 2.0

Hello everyone,

I'm encountering a persistent issue with handling refresh tokens in my custom Power BI connector, and I could use some expert advice.

Problem Description:

  • I building a custom Power BI connector that uses OAuth 2.0 PKCE for authentication.
  • The initial access token is retrieved successfully, but I'm running into problems when trying to use the refresh token to obtain a new access token.

Details:

  1. Token and Expiration: Along with the access token, we receive an expiration time and a refresh token.

  2. Long Data Fetch Duration: Fetching data takes more than 1 hour, during which the access token expires, necessitating a new access token.
  3. Refresh Token Request Issue: When attempting to use the refresh token, the refresh request is sent twice in quick succession:

    • The first request is successful and returns a new access token.
    • The second request fails because it tries to use the same refresh token that was just invalidated by the first successful request.(Checking all the requests in Fiddler)
  4. User Interruption: This issue causes an interruption where a window is displayed asking users to re-enter their credentials while data is being fetched from the API.

Current Implementation:

 

StartLogin = (resourceUrl, state, display) =>
    let
        codeVerifier = Text.NewGuid() & Text.NewGuid(),
        AuthorizeUrl = authorizationUri
            & "?"
            & Uri.BuildQueryString(
                [
                    client_id = clientId,
                    response_type = "code",
                    code_challenge_method = "plain",
                    scope = scope,
                    code_challenge = codeVerifier,
                    state = state,
                    redirect_uri = callbackUri
                ]
            )
    in
        [
            LoginUri = AuthorizeUrl,
            CallbackUri = callbackUri,
            WindowHeight = 800,
            WindowWidth = 600,
            Context = codeVerifier
        ];

FinishLogin = (context, callbackUri, state) =>
    let
        Parts = Uri.Parts(callbackUri)[Query]
    in
        TokenMethod(Parts[code], "authorization_code", context);

TokenMethod = (code, grant_type, optional verifier) =>
    let
        codeVerifier = if (verifier <> null) then [code_verifier = verifier] else [],
        codeParameter = if (grant_type = "authorization_code") then [code = code] else [refresh_token = code],
        query = codeVerifier
            & codeParameter
            & [
                client_id = clientId,
                grant_type = grant_type,
                redirect_uri = callbackUri
            ],
        ManualHandlingStatusCodes = {400, 403},
        Response = Web.Contents(
            tokenUri,
            [
                Content = Text.ToBinary(Uri.BuildQueryString(query)),
                Headers = [
                    #"Content-type" = "application/x-www-form-urlencoded",
                    #"Accept" = "application/json"
                ],
                ManualStatusHandling = ManualHandlingStatusCodes
            ]
        ),
        Parts = Json.Document(Response)
    in
        // check for error in response
         if (Parts[error]? <> null) then
             error Error.Record(Parts[error], Parts[message]?)
         else
            Parts;

Refresh = (resourceUrl, refresh_token) =>
    TokenMethod(refresh_token, "refresh_token");

// Data Source Kind description
SampleConnector = [
    Authentication = [
        OAuth = [
            StartLogin = StartLogin,
            FinishLogin = FinishLogin,
            Refresh = Refresh
        ]
    ],
    Label = "Sample Connector"
];

 

 

 

2 REPLIES 2
v-yiruan-msft
Community Support
Community Support

Hi @Suraj_Ncircle ,

It sounds like your custom Power BI connector is struggling with handling the refresh token properly, causing redundant requests and user interruptions. Please ensure that only one refresh token request is issued at a time:

shared Refresh = (resourceUrl, refresh_token) =>
    let
        // Ensure only one refresh request is in process at a time
        TokenRefresh = createTokenRefreshFunction(refresh_token),
        Result = TokenRefresh()
    in
        Result;

createTokenRefreshFunction = (refresh_token) =>
    let
        inProgress = false,
        cachedToken = null,
        
        refreshTokenFunction = () =>
            if inProgress then
                cachedToken
            else
                let
                    _ = (inProgress := true),
                    newToken = TokenMethod(refresh_token, "refresh_token"),
                    _ = (cachedToken := newToken),
                    _ = (inProgress := false)
                in
                    newToken
    in
        refreshTokenFunction;

Best Regards

Community Support Team _ Rena
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hi
I have a similar problem and I hope you might be able to help.

I have a custom connector that works. It authenticates to Auth0 and gets a token that expires in 24 hours. The refresh token method also works and the expired token is refreshed.

My problem is that the "refresh_token" itself expires after 7 days and even though my Auth0 is set up to rotate refresh tokens, something is not working there. The refresh token expires and I have to do a manual refresh (re-sign-in to generate a new token) before 7 days in order for the next 7 days of refreshing kicks in.

So, my question is this: what do I need to do to get the rotated refresh token to be used? 
The bit about all this that puzzles me is that even though the refresh token rotation is enabled on Auth0, I guess it is not really rotating the refresh token because, if it was, the second attempt to refresh using the old refresh token would fail.

At any rate, the symptoms of what is happening seems to indicate that the refresh token is not rotating and the old refresh token is reused until it expires (in 7 days in my case)
Here is my code if it helps any:

StartLogin = (dataSourcePath, state, display) =>
    let
        json = Json.Document(dataSourcePath),
        codeVerifier = Text.NewGuid() & Text.NewGuid(),
        codeChallenge = Base64UrlEncodeWithoutPadding(Crypto.CreateHash(CryptoAlgorithm.SHA256, Text.ToBinary(codeVerifier, TextEncoding.Ascii))),

        AuthorizeUrl = json[auth_url] & "?" & Uri.BuildQueryString([
            client_id = json[client_id],
            state = state,
            redirect_uri = redirect_uri,
            scope = DataMosaixDefaults[Scope],//json[scope],
            audience = DataMosaixDefaults[Audience],//json[audience],
            code_challenge_method = "S256",
            code_challenge = codeChallenge,
            response_type = "code"])
    in
        [
            LoginUri = AuthorizeUrl,
            CallbackUri = redirect_uri,
            WindowHeight = windowHeight,
            WindowWidth = windowWidth,
            Context = [code_verifier = codeVerifier]
        ];

FinishLogin = (clientApplication, dataSourcePath, context, callbackUri, state) =>
    let
        json = Json.Document(dataSourcePath),
        Parts = Uri.Parts(callbackUri)[Query]
    in
        TokenMethod("authorization_code", json[deployment], Parts[code], json[token_url], json[client_id], context);

Refresh = (dataSourcePath, refreshToken, oldCredential) =>
    let
        json = Json.Document(dataSourcePath),
        refreshToken = oldCredential[refresh_token],
        result = TokenMethod("refresh_token", json[deployment], refreshToken, json[token_url], json[client_id])
    in
        result;

TokenMethod = (grant_type, deployment, authCode, token_url, client_id, optional context) =>
    let
        CodeVerifier = if (context <> null) then [code_verifier = context[code_verifier]] else [],
        Parameters = if (grant_type = "authorization_code") then [ redirect_uri = redirect_uri, code = authCode ] else [ refresh_token = authCode ],
        Response = Web.Contents(token_url, [
            Content = Text.ToBinary(Uri.BuildQueryString([
                client_id = client_id,
                grant_type = grant_type,
                redirect_uri = redirect_uri] & Parameters & CodeVerifier)),
            Headers=[#"Content-type" = "application/x-www-form-urlencoded",#"Accept" = "application/json"]]),
        RefreshToken = if (grant_type = "authorization_code") then [] else [ refresh_token = authCode ],
        Parts = Json.Document(Response)
    in
        Parts;

Helpful resources

Announcements
July 2024 Power BI Update

Power BI Monthly Update - July 2024

Check out the July 2024 Power BI update to learn about new features.

PBI_Carousel_NL_June

Fabric Community Update - June 2024

Get the latest Fabric updates from Build 2024, key Skills Challenge voucher deadlines, top blogs, forum posts, and product ideas.