Hi all,
We have a connected system with OAuth 2.0 Client Credential Grant. From the connected system we can Authorize with no error. Now, the token we get is valid for 24 hours. The problem is, after 24 hours, the integration calls fail with Authorization error. And when I go to Connected System and click on Authorize and run the integration again, it works perfectly. Does anyone know why this may be happening? I checked and the security of the integration and connected system is set properly.
Thanks!
Discussion posts and replies are publicly visible
This was a while back - have you been able to find a solution?
Seeing a similar thing in one of the integrations - if I were to guess - when we call the resource server, then Appian expects a 401/403 response from the integration call, but most likely the resource server API returns another code, e.g. 200 (success) code with an HTML page trying to redirect to authorize. The issue with this would be that this does not prompt Appian to retrieve a new Bearer access token from the Authorization server
RFC 6749 https://www.rfc-editor.org/rfc/rfc6749.txt section 1.5 covers Refreshing an Expired Access Token
Just curious - what system are you connecting to?
No. For now, what I did is to create a process model which fetches the token every few hours and save it on the constant. I raised an enhancement request as well with Appian.
We have internal OData API servers which uses OAuth authentication!
I think a server returning a 200 code in case it cannot authenticate the user is just wrong and violates the HTTP protocol. I mean, we are talking about APIs here. How is the chance that a user is hitting the API endpoint with a browser?
Stefan,
I agree - thank you for confirming my assumptions here, since my oAuth knowledge is limited, but I did read the spec and it does seem that we should retrieve 401/403 error back from the API, which would prompt Appian to auto-renew the JWT (authorization bearer) token
This is for a new integration with SAP...
By any chance, do they try to do SAML on their end? SAML is meant to work between browser and web server and uses javascript to do browser redirection.
Hi Stefan,
Have you built a Connected system from scratch. I am trying to build one using client credentials ( OAuth2 flows) to retrieve the token. I was able to authorize successfully by passing client credentials, secret, etc . Now, I need to use this connected system to make subsequent API calls. The token needs to be sent as bearer token in the header. I am not sure how do I pass the token value. In fact I don;t even know where is Appian storing it. The documentations on Appian connected systems doesn't specific anything on this
Appian should do that automatically. This is why you define authentication in a separate object. The integration just uses that config.
docs.appian.com/.../oauth_client_credentials.html
Just use the connected system in the integration call and Appian will automatically take care of the Authorization Bearer token for you during the integration call!
I will share some screenshots . In my case the authorization is successful . when I am using it in an integration its throwing Unauthorized error 401. I have separately tested it by manually passing the bearer token. If the token is missing it gets 401 and if the token si wrong it gets 403 error . what's the best way to troubleshoot
You are talking to sharepoint. I think there where some discussions lately about an extra configuration step on sharepoint side. Did you find/try that?
Its Sharepoint. Yes. I am not using the existing connected systems as the APIs available with the existing Connected System is bit different. I can certainly search for the Sharepoint Connected System. eventually I want to try integration with outlook Calendar as well. All of them follow Microsoft Auth Flow.