Skip to main content

Get Support
Have a question? Let's get you an answer!

How Do I...? Troubleshooting Code & Webhooks Developer Zone

Other Help Resources
Wait, there's more! Check out these Community sourced spaces for additional resources.

Zapier Help Center Hire an Expert

Learning Resources
All of our best learning resources can be found here.

Featured Articles Show & Tell Zapier's products AI Hub Zapier Tools Hub

Share your knowledge
Give back to the Community by sharing your automation wins and helping to answer questions.

Share your success See unanswered questions User Groups

Other Learning Resources
Some of our favorite additional ways to upskill your Zapier knowledge.

Zapier Learn Zapier Blog Zapier Webinars

Product Updates
Check out what is new and upcoming with Zapier with our regular product updates.

Product Updates

Early Access Program
Want to join Early Access? Learn more here.

Hi,

I am having a problem with OAuth2. When the token expires Zapier requests a refresh using the refesh_token call to do that with the refresh token but does not send clientId or Client Secret.

So our server (Kahootz) is rejecting the request.

I read through the RFC6749 https://www.ietf.org/rfc/rfc6749.txt and see that in section 6 it says:

“The authorization server MUST:

o require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),

o authenticate the client if client authentication is included and ensure that the refresh token was issued to the authenticated client, and

o validate the refresh token.”

Since I set up the Auth using a client secret I think that this means the client secret and clientId should also get passed in the refresh_token request.

I also found the following page

https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/

which says:

“Client Authentication (required if the client was issued a secret)

Typically, refresh tokens are only used with confidential clients. However, since it is possible to use the authorization code flow without a client secret, the refresh grant may also be used by clients that don’t have a secret. If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.”

Am I missing something here?

Kevin

Hi @kevin_r - Where do you store the client ID and client secret? As environment variables? Are you including them in the request when you try to refresh the token?

I am not doing anything in particular with them. I followed the instructions for logging in with OAuth.

The refresh seems to happen when needed without my intervention.

Is there a document somewhere that tells me where i should save client ID and client secret and how to do that?

Kevin

Hi @kevin_r - The Client ID and Client Secret should be added as environment variables, then you should implement the refresh token method. Here is how to do it in the UI:

 

I found the place I have to add them. Its working now.

Thank you. I had missed the significance of the ability to edit parameters in the refresh.

Kevin

Terms & Conditions