I am having a problem with OAuth2. When the token expires Zapier requests a refresh using the refesh_token call to do that with the refresh token but does not send clientId or Client Secret.
So our server (Kahootz) is rejecting the request.
I read through the RFC6749 https://www.ietf.org/rfc/rfc6749.txt and see that in section 6 it says:
“The authorization server MUST:
o require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),
o authenticate the client if client authentication is included and ensure that the refresh token was issued to the authenticated client, and
o validate the refresh token.”
Since I set up the Auth using a client secret I think that this means the client secret and clientId should also get passed in the refresh_token request.
I also found the following page
“Client Authentication (required if the client was issued a secret)
Typically, refresh tokens are only used with confidential clients. However, since it is possible to use the authorization code flow without a client secret, the refresh grant may also be used by clients that don’t have a secret. If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters
client_secret, or accept the client ID and secret in the HTTP Basic auth header.”
Am I missing something here?
Best answer by ikbelkirasanView original
I found the place I have to add them. Its working now.
Thank you. I had missed the significance of the ability to edit parameters in the refresh.
@kevin_r - Where do you store the client ID and client secret? As environment variables? Are you including them in the request when you try to refresh the token?
@kevin_r - The Client ID and Client Secret should be added as environment variables, then you should implement the refresh token method. Here is how to do it in the UI:
I am not doing anything in particular with them. I followed the instructions for logging in with OAuth.
The refresh seems to happen when needed without my intervention.
Is there a document somewhere that tells me where i should save client ID and client secret and how to do that?