Generic Credential Type > OAuth2 API is not refreshing the token with authorization code flow

Questions
1

Describe the problem/error/question

I can setup OAuth for integrating with our timesheet service, but it stops working eventually requiring to click “reconnect” in the credential. I was expecting credential type “Generic Credential Type > OAuth2 API” to automatically obtain a new access token once it expires, but apparently it does not happen.

  1. Am I correct about that? or am wrong?

  2. no matter if I am right or wrong, how can I deal with the situation. Manually reconnecting is not an option, as this means that I have to wait for a production failure and intervene at that point or tell someone to click the button each day.

Setup

As I said it is an authorization code flow with authorization url and access token url. I provide a client ID and a secret in the body. Everything else is blank or default.

Here is the setup instructions from the service I am integrating:

Diagnosis

An http node suddenly returned 400 bad request

 “error”: {

 "message": "Bad request - please check your parameters",

  "timestamp": 1234,

  "name": "NodeApiError",

  "description": "HTTP status 400",

  "context": {}

}

This was working perfectly fine before. So I removed pagination from the node and obtained a different erro:

"error": {

  "status": 400,

  "body": "{\\"status\\":400,\\"message\\":\\"redirect_uri must not be blank\\"}",

  "code": "ESTATUS"

}

This gave me the hint that its an OAuth problem. After reconnecting in the credential everything was fine again.

core

  • n8nVersion: 1.113.3
  • platform: docker (cloud)
  • nodeJsVersion: 22.19.0
  • nodeEnv: production
  • database: sqlite
  • executionMode: regular
  • concurrency: 50
2

Hi @triangle :waving_hand: n8n automatically refreshes the auth tokens within the OAuth2 flow, which does not seem to work in your case and can have different reasons. Refreshing the credentials requires a refresh_token- by the spec it is only sent when offline_access scope is provided. A lot of identity providers send the refresh token anyway, so check if adding the offline_accesssolves your problem.

It’s also possible that the refresh token itself has expired, which requires to reauthenticate again. The refresh token lifetime again depends on the identity provider and vary greatly. The access token is only refreshed on execution of the http request node, so if the node is executed in intervals greater than the refresh token the credentials will always be outdated

The error with redirect_uri indicates that the problem might also be a missing redirect_uri in the token refresh request. By the spec this parameter is optional and some identity providers might throw an error if it’s not present. n8n does not send the redirect_uri in the token refresh request, so this will indeed be a problem if it’s required by the Tempo API. If the other solutions do not work for you I suggest firing a feature request “to include redirect_uri in oauth2 token refresh requests” at GitHub · Where software is built

3

Thanks for your reply, yes a redirect_uri is mandatory:

How to retrieve a new access token from the refresh token

The access token will eventually expire. You need to renew it using the previously received refresh token:

POST: https://api.tempo.io/oauth/token/

sending the following parameters in the body using the “application/x-www-form-urlencoded” format:

grant_type = "refresh_token"
client_id = $CLIENT_ID
client_secret = $CLIENT_SECRET
redirect_uri = $REDIRECT_URI
refresh_token = $REFRESH_TOKEN

I have had multiple problems with oauth and I now default to redirecting to a n8n webhook in a workflow that sets a variable for me. I then use this variable as auth. I have not found another solution as there is no PUT for credentials…