OAuth2 token refreshing

M3gaFr3ak · January 17, 2021, 11:32am

Hello,

I’m trying to access the Withings API using the HTTPRequest node. I managed to workaround their broken access_token system (Using a Webhook workflow conditioning the body of the message to have a conforming format). Now I’m struggling with token refreshing: I reliably get an access- and refresh token, but according to my workaround-webhook execution history, the token is never refreshed (the workaround is apparently only called once: when initially getting the access_token).
Do n8n OAuth2 credentials actually refresh the access_token or is something broken?

jan · January 17, 2021, 11:38am

Welcome to the community @M3gaFr3ak!

When you are using the HTTP Request node and select under “Authentication” → “OAuth2” and configure everything correctly it will refresh the token automatically as soon as a request gets made that returns that the used token is not valid anymore.
If you build your own OAuth “process” with Webhook and HTTP Request nodes, then you would also have to take care of the refresh yourself.

M3gaFr3ak · January 17, 2021, 11:50am

I only intercept the get token URL. I guess that withings also implemented the “access token invalid message” incorrectly. I will investigate this.

Does the HTTPRequest make a request, refresh the token if invalid and then makes the request again?

jan · January 17, 2021, 12:25pm

You can see the logic here:

github.com

n8n-io/n8n/blob/master/packages/core/src/NodeExecuteFunctions.ts#L164

      
        
            		return;
            	}
            	try {
            		const length = await new Promise((res, rej) => {
            			formData.getLength((error: Error | null, length: number) => {
            				if (error) {
            					rej(error);
            					return;
            				}
            				res(length);
            			});
            		});
            		headers = Object.assign(headers, {
            			'content-length': length,
            		});
            	} catch (error) {
            		Logger.error('Unable to calculate form data length', { error });
            	}
            }
            
            
async function parseRequestObject(requestObject: IDataObject) {

It makes a request and if “401” gets returned (which means “Unauthorized” and that the access token is not valid anymore) it uses the refresh-token to refresh the access token. That new token gets then used to repeat the request.

M3gaFr3ak · January 17, 2021, 7:31pm

This is the output of the HTTPRequest when the token is invalid:

[
  {
    "status": 401,
    "body": {
    },
    "error": "XRequestID: Not provided invalid_token: The access token provided is invalid"
  }
]

Executing it again doesn’t change the fact, it seems to keep using the invalid token

jan · January 17, 2021, 7:39pm

Do you use the OAuth2 feature of the node? Else it will not retry as described above.

M3gaFr3ak · January 17, 2021, 7:43pm

I’m using OAuth2 in the authorization field. Is the “status” in this json the status of the request or part of the returned json?

jan · January 17, 2021, 10:50pm

That should be the actual response code. The “returned json” should be under “body”. So should work.

Is there anything you can send me via private message that we can reproduce that?

M3gaFr3ak · January 17, 2021, 11:54pm

I could give you full access to everything as it’s my private server and my account (could also do a dummy account). How do I send a PM on this forum?

RicardoE105 · January 18, 2021, 2:50am

@M3gaFr3ak

Click the username, click message, and then type the message as a private message.

jan · January 18, 2021, 6:28am

Additionally, could you maybe also create another account that does not contain any data (not sure if possible in that software).

M3gaFr3ak · January 21, 2021, 10:57am

I can’t find the message button, maybe it’s a permissions issue?

@jan I’m pretty flexible. If you want, we could do a video call where I demonstrate it, I can also give you full access to my n8n instance. The withings account can be recreated or I can give you my data. There’s apparently also a “dummy” parameter one can use when requesting a token.