OAuth 2 credentials - different refresh token URL

okhalil · September 25, 2022, 10:40pm

Hi, I’m using the HTTP Request node to contact to an API that requires a different refresh token URL.
Now going to connection and filling in the information I can specify only the access token url but not a different refresh token url. is it possible?
My second question is that this API requires a different naming for client id, it should be client_key=<client_id>
Is there a way to have both of these without me building the auth on my own?

Thanks in Advance!
Omar

Jon · September 26, 2022, 10:00am

Hey @okhalil,

Welcome to the community

When you say a different refresh token URL what do you mean? I thought the spec of OAuth2 was to use the same URL for access token and refresh token

Could it be that the API you are working with is using OAuth 1.0 which would use the key parameter as well?

Do you happen to have a link for the api docs for the service you are working with?

okhalil · September 27, 2022, 10:33pm

Hi @Jon, thank you so much for the quick response.

I couldn’t exactly find information in the RFC of the OAuth2 Implementation about whether refresh token URL should be the same as access token.
But sadly the service still uses a different path, I still didn’t test yet whether this will represent a problem since I’m not that far to get it authenticated.
Still unfortuantely throughout my OAuth2 journey i noticed many APIs doing wonky implementations.

It’s definitely OAuth2, no key parameters or unique identifier.

The API I’m talking about is TikTok’s here are the docs:
https://developers.tiktok.com/doc/login-kit-manage-user-access-tokens/

Also they don’t call “client_id” this way, they call it “client_key” which I never saw in my life!

If I got this creds to work somehow I can submit a PR to add it natively to n8n.

Thanks for your time!
Omar

Jon · September 28, 2022, 8:17am

Hey @okhalil,

I have been looking at a few implementations of the TikTok API and it doesn’t look like any of them use the refresh url which is interesting, What happens if you just try to connect using the fields we offer up?

okhalil · September 28, 2022, 8:54pm

Hi Jon, that’s really interesting, I suppose they have a redirect from refresh-token to access-token as I saw many other non-standard implementations.

Right now I solved the client_id needing to be client_key by giving client_key in the “Auth URI Query Parameters” field.

Now they refused my app request to go in production because they need me to have a full-fledged privacy policy and terms of service pages.

I will update you once I can go in production!