Best answer

Usage of refresh-token functionality in session auth schema

  • 28 April 2021
  • 6 replies

I am building a Zapier integration wherein I need to have the functionality of refreshing the authentication tokens based on a refresh token provided and stored in bundle.authData.refresh_token at the beginning (the very first API call with username, password). I am using session auth as the same seems to be the best fit in my use case though I found out refresh_token functionality is supported with oauth2 but the same is not provided by the backend API for which I am building the Zapier integration. 


The backend API is providing an AuthResponse JSON which is having access_token and refresh_token and it is expected from the backend to refresh access_tokens every 15 mins using the refresh_token provided in the beginning.


I wrote code for authentication using the session-auth GitHub example by Zapier and added a trigger everything working fine the integration is passing all the tests too. But I know that the Zapier will not be able to poll for posts/ triggers subsequently as I need some way to refresh the Bearer token. Which I am finding no way of doing in the session auth system.


Best answer by dinesh_sharma 29 June 2021, 18:22

View original

This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

6 replies

Userlevel 7
Badge +9

I think what you might look at is computed fields. Declare one of those and use it to stuff that refresh token into.  Then grab that value from in your token exchange logic. And if no token exists, you’ll know it’s an initial login and you should use the username and password instead. 

Most session auth implementations simply exchange user provided credentials for a token every time. I’ll assume here there’s a reason why creating a brand new session key on each exchange is inappropriate for your API.   

Let us know if that doesn’t get you up and running.

Hey, thanks @Zane it really helped.

Hi @Zane, though the integration did work to start with, that’s why the early success message above. However, it is falling apart after 15 mins when the token is expiring.

I couldn’t able to refresh the token, I have added the computed field, and logic of refreshing the token in the getAccessToken function only. Kinda getSessionKey function of session-auth example app, here only I am making the decision whether or not it is the first login request (in that case I am doing z.request to /login endpoint otherwise /refreshToken endpoint). 

I am making a call to the above getAccessToken function from the includeSessionKeyHeader function responsible for adding the token in Authorization Header. I picked this point as this is where I am adding the token to Authorization header, and refreshing the token just before that felt okay to me. But I am getting this “TypeError: z.request is not a function” error and failing the tests. z.request could able to make successful call to /login endpoint but why it is not working for /refreshToken being called from the same function only with if-else logic. 

Other than this I see the “request” object is used to deal with headers is it a special object like “z” and “bundle” provided by Zapier, couldn’t see much on it in the documentation. 

Hey @Zane as you said above “Most session auth implementations simply exchange user provided credentials for a token every time”.

Then logic for refreshing tokens is needless, (I am doing it for a hypothetical test use case) Zapier should automatically use the saved user’s username and password and generate the AuthResponse every time and go for /login endpoint, I don’t why the Zapier app is breaking then. Maybe it is because of includeAccessTokenHeader function’s issue which is adding the existing token all the time into the Authorization header which looks like it is using the older and expired one only. 

Userlevel 7
Badge +10

Just checking in to see if you still need help with this? 

@AndrewJDavison_Luhhu Thanks for checking in, and sorry for my delayed response. Yes the test application I was building is done thanks to you guys and pretty good documentation Zapier have done.