Recent searches
No recent searches
Using a third-party OAuth access token - expired secret
Posted Nov 29, 2023
Hello!
I am implementing a Support App with ZAF and React and I am using a third-party OAuth access token to make calls to an external API, as described here, by adding an oauth object in manifest.json.
The problem that I am facing is that the SECRET generated by the third-party service expires and so the token can't be refreshed and my authentication is lost.
Updating the SECRET value in the manifest file forces me to re-publishing the app in the Zendesk Marketplace. How could I avoid that? Could I maybe set the secret at installation and not directly in the manifest file?
Thank you!
0
6
6 comments
Greg Katechis
Hi Oana! That is a new one for me, which must mean that I'm getting behind the times on security protocols. Automatically refreshing the client_secret seems like it's going to cause problems everywhere, so I googled it to try to find some information and I can't find any details. Would you mind sharing the documentation for the OAuth provider you're using so that I can dig into this for you?
0
Oana Veronica Pop
Hello Greg!
The provider is Azure Active Directory B2C: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow
Thanks for looking into this!
0
Greg Katechis
Thanks for providing that! I took a look at those docs and the refresh aspect was actually for the token, not for the secret, which is expected and totally functional with Azure. In the docs you shared, you'll see that we can automatically refresh the token if the access token response contains an `expires_in` and `refresh_token` value. When I looked through the docs from Azure that you sent, the payload response does include both of those values, so you should be in good shape!
If I missed something in the Azure docs about the client_secret refreshing, please let me know.
0
Kithiyon A
Hello Greg Katechis
I'm also facing the same issue. I am making an OAuth authentication with Zoho. The response from the authentication request has the
expires_in
andrefresh_token
values. You can find this here0
Oana Veronica Pop
Hey Greg!
As you can see in the attached image from the documentation, it says the client secret should be changed on a periodic basis. And from the portal the expiration date must be set in order to generate a secret(it's a mandatory field with a max allowed period of 2 years). And the client secret seems to be mandatory in Zendesk in order to generate an access and a refresh token.
0
Darian Soporan
Hello @Greg Katechis,
Do we have some updates on where we can keep the ‘client_secret’ outside of manifest.json such that we can change it whenever it expires or at a certain time, without actually having to re-publish the app ?
Thank you!
0