Syndesis: Google API Oauth Renewal

Created on 1 Apr 2020  路  10Comments  路  Source: syndesisio/syndesis

This is a...


[x] Feature request
[ ] Regression (a behavior that used to work and stopped working in a new release)
[ ] Bug report  
[ ] Documentation issue or request

Description

Hey currently I see that the Google Sheet connection I created gets reset every day and I get this error:

401 Unauthorized 
{
   "code":401,
   "errors":[
      {
         "domain":"global",
         "location":"Authorization",
         "locationType":"header",
         "message":"Invalid Credentials",
         "reason":"authError"
      }
   ],
   "message":"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
   "status":"UNAUTHENTICATED"
}

After I click on Reconnect the connection is valid again and I am able to work with the Google Sheets API again. It seems that this Token is valid for roughly a day. My suggestion is to automatically renew it.

Second: If I click on Reconnect all of my Integrations are not valid anymore due to the changed cookie.

Example:
reconnect

Thank you.

picture SvenC56

Most helpful comment

I don't think we have anything actionable here to work on. Is everyone okay that we close this?

picture zregvart on 1 Apr 2020
👍2

All 10 comments

This is because the Google Sheets API provides the refresh token only once when the credentials are used for the first time. So most likely your credentials have been used before somewhere else and Syndesis is not provided with a refresh token.

Please make sure to have a fresh set of credentials in Google and let Syndesis use these. When this is done Google will provide a refresh token to Syndesis and we can use it to auto refresh the access tokens. It should then work as you expect it to be.

christophd picture christophd on 1 Apr 2020

Please let me know if that works for you

christophd picture christophd on 1 Apr 2020

@SvenC56 make sure you enable offline access in Google OAuth settings. Read the Important note here.

If you don't have the offline access enabled at this point, you'll most likely need to create a new OAuth client or a new project at Google, we had issues with just redefining or creating new OAuth clients, this is not very well documented at Google.

zregvart picture zregvart on 1 Apr 2020

Hey together,

I created a new OAuth client but I did not find any offline capability options. However I saw this:

When you view connection details in the {prodname} user interface, do not click the Validate button. Validation is a second use of the credentials and the refresh token is no longer part of the client credentials. You can, however, re-connect to Google applications.

@zregvart where can I enable offline access? In the Google Docs this is part of the authorization process. see: https://developers.google.com/identity/protocols/oauth2/web-server#offline

Is there somewhere a tick I can set? In the meanwhile this should work unless I click on validate, right? 馃檪

SvenC56 picture SvenC56 on 1 Apr 2020

@SvenC56 as far as I remember, the first OAuth client that requests token needs to specify the offline access, this is not visible or configurable from Google Developers console. If you used the same OAuth credentials for non-Syndesis clients before using them with Syndesis they might not have requested offline access, this then affects other clients using the same credentials - they will not be able to get offline access and token refresh will not work.

zregvart picture zregvart on 1 Apr 2020

@SvenC56 as far as I remember, the first OAuth client that requests token needs to specify the offline access, this is not visible or configurable from Google Developers console.

Ok so if I use a brand new OAuth client Syndesis will do it on it's own?

SvenC56 picture SvenC56 on 1 Apr 2020

Suggestion:
If the Validate Button breaks the auth workflow it may be disabled.

When you view connection details in the {prodname} user interface, do not click the Validate button. Validation is a second use of the credentials and the refresh token is no longer part of the client credentials. You can, however, re-connect to Google applications.

SvenC56 picture SvenC56 on 1 Apr 2020

I do not think the validate button will break the auth. As soon as the refresh token is available for Syndesis it should work.

christophd picture christophd on 1 Apr 2020

I don't think we have anything actionable here to work on. Is everyone okay that we close this?

zregvart picture zregvart on 1 Apr 2020
👍2

I created a new OAuth client which is hopefully working now. I guess this can be closed. 馃憤

SvenC56 picture SvenC56 on 1 Apr 2020
🚀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

syndesis-bot picture syndesis-bot  路  6Comments
gaughan picture gaughan  路  5Comments
mcoker picture mcoker  路  4Comments
seanforyou23 picture seanforyou23  路  3Comments
gashcrumb picture gashcrumb  路  4Comments