Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
Suraj_Ncircle
Frequent Visitor

Issues with Refresh Token Handling in OAuth 2.0

‎06-17-2024 11:40 AM

Hello everyone,

I'm encountering a persistent issue with handling refresh tokens in my custom Power BI connector, and I could use some expert advice.

Problem Description:

  • I building a custom Power BI connector that uses OAuth 2.0 PKCE for authentication.
  • The initial access token is retrieved successfully, but I'm running into problems when trying to use the refresh token to obtain a new access token.

Details:

  1. Token and Expiration: Along with the access token, we receive an expiration time and a refresh token.

  2. Long Data Fetch Duration: Fetching data takes more than 1 hour, during which the access token expires, necessitating a new access token.

  3. Refresh Token Request Issue: When attempting to use the refresh token, the refresh request is sent twice in quick succession:

    • The first request is successful and returns a new access token.
    • The second request fails because it tries to use the same refresh token that was just invalidated by the first successful request.(Checking all the requests in Fiddler)

  4. User Interruption: This issue causes an interruption where a window is displayed asking users to re-enter their credentials while data is being fetched from the API.

Current Implementation:

 

StartLogin = (resourceUrl, state, display) =>
    let
        codeVerifier = Text.NewGuid() & Text.NewGuid(),
        AuthorizeUrl = authorizationUri
            & "?"
            & Uri.BuildQueryString(
                [
                    client_id = clientId,
                    response_type = "code",
                    code_challenge_method = "plain",
                    scope = scope,
                    code_challenge = codeVerifier,
                    state = state,
                    redirect_uri = callbackUri
                ]
            )
    in
        [
            LoginUri = AuthorizeUrl,
            CallbackUri = callbackUri,
            WindowHeight = 800,
            WindowWidth = 600,
            Context = codeVerifier
        ];

FinishLogin = (context, callbackUri, state) =>
    let
        Parts = Uri.Parts(callbackUri)[Query]
    in
        TokenMethod(Parts[code], "authorization_code", context);

TokenMethod = (code, grant_type, optional verifier) =>
    let
        codeVerifier = if (verifier <> null) then [code_verifier = verifier] else [],
        codeParameter = if (grant_type = "authorization_code") then [code = code] else [refresh_token = code],
        query = codeVerifier
            & codeParameter
            & [
                client_id = clientId,
                grant_type = grant_type,
                redirect_uri = callbackUri
            ],
        ManualHandlingStatusCodes = {400, 403},
        Response = Web.Contents(
            tokenUri,
            [
                Content = Text.ToBinary(Uri.BuildQueryString(query)),
                Headers = [
                    #"Content-type" = "application/x-www-form-urlencoded",
                    #"Accept" = "application/json"
                ],
                ManualStatusHandling = ManualHandlingStatusCodes
            ]
        ),
        Parts = Json.Document(Response)
    in
        // check for error in response
         if (Parts[error]? <> null) then
             error Error.Record(Parts[error], Parts[message]?)
         else
            Parts;

Refresh = (resourceUrl, refresh_token) =>
    TokenMethod(refresh_token, "refresh_token");

// Data Source Kind description
SampleConnector = [
    Authentication = [
        OAuth = [
            StartLogin = StartLogin,
            FinishLogin = FinishLogin,
            Refresh = Refresh
        ]
    ],
    Label = "Sample Connector"
];

 

 

 

Message 1 of 3
544 Views
0
2 REPLIES 2
v-yiruan-msft
Community Support
Community Support

‎06-17-2024 10:43 PM

Hi @Suraj_Ncircle ,

It sounds like your custom Power BI connector is struggling with handling the refresh token properly, causing redundant requests and user interruptions. Please ensure that only one refresh token request is issued at a time:

shared Refresh = (resourceUrl, refresh_token) =>
    let
        // Ensure only one refresh request is in process at a time
        TokenRefresh = createTokenRefreshFunction(refresh_token),
        Result = TokenRefresh()
    in
        Result;

createTokenRefreshFunction = (refresh_token) =>
    let
        inProgress = false,
        cachedToken = null,
        
        refreshTokenFunction = () =>
            if inProgress then
                cachedToken
            else
                let
                    _ = (inProgress := true),
                    newToken = TokenMethod(refresh_token, "refresh_token"),
                    _ = (cachedToken := newToken),
                    _ = (inProgress := false)
                in
                    newToken
    in
        refreshTokenFunction;

Best Regards

Community Support Team _ Rena
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 3
491 Views
0
apdams
Frequent Visitor
In response to v-yiruan-msft

‎07-05-2024 02:48 AM

Hi
I have a similar problem and I hope you might be able to help.

I have a custom connector that works. It authenticates to Auth0 and gets a token that expires in 24 hours. The refresh token method also works and the expired token is refreshed.

My problem is that the "refresh_token" itself expires after 7 days and even though my Auth0 is set up to rotate refresh tokens, something is not working there. The refresh token expires and I have to do a manual refresh (re-sign-in to generate a new token) before 7 days in order for the next 7 days of refreshing kicks in.

So, my question is this: what do I need to do to get the rotated refresh token to be used? 
The bit about all this that puzzles me is that even though the refresh token rotation is enabled on Auth0, I guess it is not really rotating the refresh token because, if it was, the second attempt to refresh using the old refresh token would fail.

At any rate, the symptoms of what is happening seems to indicate that the refresh token is not rotating and the old refresh token is reused until it expires (in 7 days in my case)
Here is my code if it helps any:

StartLogin = (dataSourcePath, state, display) =>
    let
        json = Json.Document(dataSourcePath),
        codeVerifier = Text.NewGuid() & Text.NewGuid(),
        codeChallenge = Base64UrlEncodeWithoutPadding(Crypto.CreateHash(CryptoAlgorithm.SHA256, Text.ToBinary(codeVerifier, TextEncoding.Ascii))),

        AuthorizeUrl = json[auth_url] & "?" & Uri.BuildQueryString([
            client_id = json[client_id],
            state = state,
            redirect_uri = redirect_uri,
            scope = DataMosaixDefaults[Scope],//json[scope],
            audience = DataMosaixDefaults[Audience],//json[audience],
            code_challenge_method = "S256",
            code_challenge = codeChallenge,
            response_type = "code"])
    in
        [
            LoginUri = AuthorizeUrl,
            CallbackUri = redirect_uri,
            WindowHeight = windowHeight,
            WindowWidth = windowWidth,
            Context = [code_verifier = codeVerifier]
        ];

FinishLogin = (clientApplication, dataSourcePath, context, callbackUri, state) =>
    let
        json = Json.Document(dataSourcePath),
        Parts = Uri.Parts(callbackUri)[Query]
    in
        TokenMethod("authorization_code", json[deployment], Parts[code], json[token_url], json[client_id], context);

Refresh = (dataSourcePath, refreshToken, oldCredential) =>
    let
        json = Json.Document(dataSourcePath),
        refreshToken = oldCredential[refresh_token],
        result = TokenMethod("refresh_token", json[deployment], refreshToken, json[token_url], json[client_id])
    in
        result;

TokenMethod = (grant_type, deployment, authCode, token_url, client_id, optional context) =>
    let
        CodeVerifier = if (context <> null) then [code_verifier = context[code_verifier]] else [],
        Parameters = if (grant_type = "authorization_code") then [ redirect_uri = redirect_uri, code = authCode ] else [ refresh_token = authCode ],
        Response = Web.Contents(token_url, [
            Content = Text.ToBinary(Uri.BuildQueryString([
                client_id = client_id,
                grant_type = grant_type,
                redirect_uri = redirect_uri] & Parameters & CodeVerifier)),
            Headers=[#"Content-type" = "application/x-www-form-urlencoded",#"Accept" = "application/json"]]),
        RefreshToken = if (grant_type = "authorization_code") then [] else [ refresh_token = authCode ],
        Parts = Json.Document(Response)
    in
        Parts;
Message 3 of 3
381 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All