OAuth2 token won't refresh

Describe the problem/error/question

I have an OAuth2 service where the access token expires after an hour and I have to reauthenticate on the credentials page. I believe this is because the service is not returning an HTTP error status, but a 200 response and the following JSON message:

[
  {
     "error": "Authentication failed"
  }
]

Any flows using this credential cannot continue until I reconnect it at this point.

What’s the best way to get this to work?
Can I get it going with a custom credential type? not something I really want to get into, but if that’s the only way to get it working I will.

Information on your n8n setup

  • n8n version: 1.4.1
  • Database: Postgres
  • n8n EXECUTIONS_PROCESS setting: default
  • Running n8n via: docker
  • Operating system: Ubuntu

Thanks!

Hey @TomSpidge,

You are probably onto something there we expect a 401 status to know when to get a new token but if you were to create a node you would have an option to set the status code to look for which might not be ideal as any request would have a 200 status so it would refresh on every call :thinking:

I am not really sure of a way around this without either making a custom node or credential with a preauthentication option on it to manually handle the refresh based on the response body.

Out of interest what service are you interacting with?

It’s Administrate again, I never got much past the connection working last time as graphQL is not my favourite thing.

Have you got any more details on the preauthentication option - not sure that’s something I’ve come across yet.

Hey @TomSpidge,

Looking at their docs they say they follow the OAuth2 specs and link to a page that contains the RFC for oauth and in there it has this: RFC 6749 - The OAuth 2.0 Authorization Framework which says they should return a 400 status code for an error including expired tokens… If they are returning a 200 response I would be raising that as an issue with them :slight_smile:

For the Preauth you can find an example in the Metabase credential… Thinking about it though if we never detect it as an issue it might not trigger the preauth so the only other possible option would be to create a custom node.

OK, I’ve gone back in with Postman - it looks like I may have been on the wrong track. I’m getting a 401 back there, would that be supposed to work, or does it have to be specifically a 400?

That said, Postman is also having trouble refreshing the token so I should be able to do some more digging there and see what I can find out.

Hey @TomSpidge,

I think while the RFC states 400 it does also list 401 as a valid code which seems to be what most providers implement and what we check for.

1 Like

Thanks for the quick help Jon, much appreciated.

I’ve had some success with Postman - the request on the refresh post needed to include the client_id and client_secret which it didn’t seem to by default. Could it be a similar issue in n8n?

1 Like

Well, I think I’ve got something working, between your advice, common sense and some reading other posts in the forum.
Rather than getting into development at this stage, I’ve added a scheduled workflow to export the credentials, use the refresh token and then re-import the credentials which at the moment seems to be working. I’ll have to give it an hour or two and see if everything keeps working, but initial tests are promising.

2 Likes

@TomSpidge that is probably it, I don’t think we include the client_id and client_secret on a refresh as it normally isn’t needed. That might be something you can do in a pre-authenticate part of a credential :thinking:

Your workaround while ugly would also do the job.

2 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.