Recent searches


No recent searches

Using a third-party OAuth access token - expired secret



Posted Nov 29, 2023

Hello!
I am implementing a Support App with ZAF and React and I am using a third-party OAuth access token to make calls to an external API, as described here, by adding an oauth object in manifest.json.

The problem that I am facing is that the SECRET generated by the third-party service expires and so the token can't be refreshed and my authentication is lost.

Updating the SECRET value in the manifest file forces me to re-publishing the app in the Zendesk Marketplace. How could I avoid that? Could I maybe set the secret at installation and not directly in the manifest file?

Thank you!


0

6

6 comments

image avatar

Greg Katechis

Zendesk Developer Advocacy

Hi Oana! That is a new one for me, which must mean that I'm getting behind the times on security protocols. Automatically refreshing the client_secret seems like it's going to cause problems everywhere, so I googled it to try to find some information and I can't find any details. Would you mind sharing the documentation for the OAuth provider you're using so that I can dig into this for you?

0


Hello Greg!

The provider is Azure Active Directory B2C: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow

Thanks for looking into this!

0


image avatar

Greg Katechis

Zendesk Developer Advocacy

Thanks for providing that! I took a look at those docs and the refresh aspect was actually for the token, not for the secret, which is expected and totally functional with Azure. In the docs you shared, you'll see that we can automatically refresh the token if the access token response contains an `expires_in` and `refresh_token` value. When I looked through the docs from Azure that you sent, the payload response does include both of those values, so you should be in good shape!

If I missed something in the Azure docs about the client_secret refreshing, please let me know.

0


Hello Greg Katechis

I'm also facing the same issue. I am making an OAuth authentication with Zoho. The response from the authentication request has the expires_in and refresh_token values. You can find this here

0


Hey Greg!

As you can see in the attached image from the documentation, it says the client secret should be changed on a periodic basis. And from the portal the expiration date must be set in order to generate a secret(it's a mandatory field with a max allowed period of 2 years). And the client secret seems to be mandatory in Zendesk in order to generate an access and a refresh token. 

0


Hello @Greg Katechis, 
 

Do we have some updates on where we can keep the ‘client_secret’ outside of manifest.json such that we can change it whenever it expires or at a certain time, without actually having to re-publish the app ?

Thank you!

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post