Best answer

An issue with OAuth2 refresh_token

  • 9 April 2020
  • 4 replies
  • 2197 views

Userlevel 2

Hi,

I am having a problem with OAuth2. When the token expires Zapier requests a refresh using the refesh_token call to do that with the refresh token but does not send clientId or Client Secret.

So our server (Kahootz) is rejecting the request.

I read through the RFC6749 https://www.ietf.org/rfc/rfc6749.txt and see that in section 6 it says:

“The authorization server MUST:

o require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),

o authenticate the client if client authentication is included and ensure that the refresh token was issued to the authenticated client, and

o validate the refresh token.”

Since I set up the Auth using a client secret I think that this means the client secret and clientId should also get passed in the refresh_token request.

I also found the following page

https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/

which says:

“Client Authentication (required if the client was issued a secret)

Typically, refresh tokens are only used with confidential clients. However, since it is possible to use the authorization code flow without a client secret, the refresh grant may also be used by clients that don’t have a secret. If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.”

Am I missing something here?

Kevin

icon

Best answer by ikbelkirasan 14 April 2020, 12:50

View original

This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

4 replies

Userlevel 7
Badge +11

Hi @kevin_r - Where do you store the client ID and client secret? As environment variables? Are you including them in the request when you try to refresh the token?

Userlevel 2

I am not doing anything in particular with them. I followed the instructions for logging in with OAuth.

The refresh seems to happen when needed without my intervention.

Is there a document somewhere that tells me where i should save client ID and client secret and how to do that?

Kevin

Userlevel 7
Badge +11

Hi @kevin_r - The Client ID and Client Secret should be added as environment variables, then you should implement the refresh token method. Here is how to do it in the UI:

 

Userlevel 2

I found the place I have to add them. Its working now.

Thank you. I had missed the significance of the ability to edit parameters in the refresh.

Kevin