How does Bubble handle the token verification/refresh process?

This is a continuation of my previous problem:

The authentication response is now in the correct format and initially was being accepted but now it seems like the issue might be in the checking of the token and expiry date. Is there a way to be able to see deeper into that connection process to be able to determine where the issue might be?

To add on to this, how does Bubble know what endpoint to refresh the token at? Does it just use the same endpoint given to get the initial token?

Custom oauth2 doesn’t need to refresh token. Bubble will get a new token on each call. It’s normally used for client_credentials that, in most case, doesn’t use the refresh token.

Hmmm… interesting. The behavior I’m experiencing is that it works for awhile and then I start getting invalid token as a response after a few minutes. If it is getting a new token each time, I wouldn’t expect that to happen. I’ll likely just have to set up my own system to handle it at this point.

This is strange. Do you have the payload returned by API?

This is the format of the response when authentication is successful

{
  "access_token": "eyJhbG...",
  "token_type": "Bearer",
  "refresh_token": "a057872...",
  "expires_in": 1682029561
}

Can you share the settings of API custom oauth2 in API Connector?

So it worked to initialize a simple GET endpoint, which I was using on a page, but then it started to get a 400 with an “invalid token” response from the server

I’ve made some test, and I think that Bubble will also refresh token if needed. Is the endpoint for refresh token is the same to get token? This is normally the good way to work. The grant_type received by this endpoint should be refresh_token.

Yeah I think this is the reason it’s not working properly. The endpoint for refreshing the token is /refresh_token whereas the initial token endpoint is /session_tokens. I will just set up a manual handler for this then. Seems like it’s not going to be straightforward to let Bubble handle it

Exactly. The problem is from the API Provider that doesn’t follow oAuth guideline.
You will need to handle this manually

That is unfortunate, I may bring this up with them again but I’ll likely just handle it myself I guess.

1 Like

One thing I’m not sure I understand is that why is bubble trying to refresh the token long before it needs to? The expiration timestamp seems to suggest the token is good for a day.

Good question. I don’t have any answer for that sorry!