[Bug]: OAuth 2.0 token is NOT refreshed

[felix-appsmith]

Is there an existing issue for this?

• [X] I have searched the existing issues

Description

We are not authenticating a data source in this case with Zoho. Zoho provides a token that expires approximately an hour after it is obtained. Once the token expires, Appsmith does not automatically refresh this token, which causes the API to fail.

Steps To Reproduce

1. Enter the [Zoho development console](https://api-console.zoho.com/add).

2. Create a new client and use the client called 'Server-based Applications'.

3. Get your Homepage URL in Appsmith. Configure the application as follows:

   Client Name: <<Appname>>
   Homepage URL: <<YourAppsmithApplicationURL>>
   Authorized Redirect URIs: https://app.appsmith.com/api/v1/datasources/authorize

4. Press the CREATE button.

5. After creating your application, you will obtain your Client ID and Client Secret credentials on a dashboard like this.

6. Add a new data source of Authenticated API type

7. Data source configuration

8. URL: https://expense.zoho.com/
   Authentication Type: OAuth 2.0
   Grant Type: Authorization Code
   Add Access Token To: Request Header
   Header Prefix: Bearer
   Access Token URL: https://accounts.zoho.com/oauth/v2/token
   Client ID: <<YourClientID>>
   Client Secret: <<YourClientSecret>>
   Scope(s): ZohoExpense.fullaccess.ALL
   Client Authentication: Send as Basic Auth header
   Authorization URL: https://accounts.zoho.com/oauth/v2/auth

9. Press the Save and Authorize button.

10. Verify that everything is working by running this query: api/v1/organizations from this data source using this endpoint. You should receive this output if everything went well.

After an hour and a half the token will expire and appsmith will not refresh it

Public Sample App

https://app.appsmith.com/app/cnv-y3rxhu4/page1-641a223433970d1990c88202

Environment

Production

Issue video log

https://www.loom.com/share/22988ee151e7486396caf325a15aa67e

Version

Appsmith v1.9.12-SNAPSHOT

Front conversations

[sanveer-osahan]

@felix-appsmith According to the Zoho API docs, you also need to pass access_type: offline as an additional authentication parameter to get the refresh_token. By default, the value is considered as online if not provided and hence no refresh_token is fetched in the authorize response. Please make sure to provide access_type: offline in Custom Authentication Parameters while creating the datasource.

Meanwhile, there is still an issue from our side for refreshing the token once expired. Working on the fix.

[felix-appsmith]

Hi, thank you very much for that observation! I added access_type: offline, but still the token expires and is not recovered.

[sanveer-osahan]

Hi @felix-appsmith, We are working on the fix. You may follow this PR - https://github.com/appsmithorg/appsmith/pull/22406

[felix-appsmith]

Thank you very much for the effort and your great work!

[sanveer-osahan]

@felix-appsmith We checked on our side, refresh token works with adding the following in Custom Authentication Params

• access_type=offline
• prompt=consent

Closing this for now. You may reopen this issue if this doesn't work for you and/or you have some additional info.

Attaching the configs used on our side for reference

[ghost]

@sanveer-osahan This is also happening with the token received from signing into Appsmith with Google. The token available with <<APPSMITH_USER_OAUTH2_ACCESS_TOKEN>> doesn't refresh after an hour. Should we open a separate issue for this?

[sanveer-osahan]

Hi @AS-Laguna, yes this is a different issue. Please open a separate one for this.

[felix-appsmith]

I opened the ticket. #23422