Forum Documentation Showcase Pricing Learn more

Oauth Refresh Token Best Practices

I’m about to embark on a project that requires multiple oauth connections, integrating with various other services. I have this all working now but with each oauth connection, it expires and the user has to relogin/accept perms. So, I need to handle the token refresh and offline access issue. I have reviewed the existing forum posts but nothing is definitive. I’m looking for a guide, best practices or plug ins that automated this for me. It seems like a common use case so I would thing a standard would be beneficial to many. I would obviously rather not have to code the entire token refresh process if I can help it and was hoping someone already tackled it and I could save a ton of time.

1 Like

Did you use the native oauth in API Connector or create your own?
Bubble should handle the refresh token for you if you use it. I have some different oAuth2 integration and user never need to relogin.

1 Like

Yes, I used the api connector plug in, user agent flow. I don’t see in the documentation that it handles the refresh token automatically. I have a service call on page load that uses a get to pull a data set to display. when I am previewing the site/testing, it doesn’t pull the data. I am required to do a social login/sign up step first, then it will display the data. And when I do that social login/sign up step, it goes through the permissions validation all over again.

If the plugin is handling the refresh process, should I just need to make the get data call without having to do the social login/sign up process? I have this same issue with Google, Microsoft Graph and Zoom.

Are there calls I’m missing in the plug in?

Exactly. You should just do the get call and the current user refresh token will be used or refreshed automatically by Bubble.
Can you give screenshot of your setting and process?

But there’s some exception (some API that doesn’t follow the normal oAuth2 process) that may cause issue. In this case, you need to handle the refresh token manually. Seem to be the case with Zoom

Really appreciate your help! Here is the api connector setup

I just have a calendar object for now with this google. For zoom i’m using a repeater group and setting the source to the get data from external api.
google%20sample

Here is what I"m seeing. If I login fresh, I see no data. I have a button which does a social login step for each respectively (google and zoom separately). Once I do this, I can see the data (the get call works) But if I just use the get call without doing the social login, no data comes through, but also no error message.

Also, each time I use the social login step, the user has to login and accept perms. Now if I login and do the social login and stay on the page, the data will stay each time I do a new get. Even when I log out and log back in. But it seems when the token expires (some time period passes) the data no longer comes in the get and I have to do the social login step again.

Does it matter if I’m still in preview mode? I’ve tried without debug and get the same thing.

Do your user authenticate first with Bubble and after give access to Google or you use Google to authenticate / login into the app too?

Yes. in my test cases, i have a bubble user account. once logged in i have a button to “configure google oauth”, which does the social login process. I didn’t think I needed to call that, just once the bubble user is logged in to make the get call for the data. But that doesn’t seem to work. i have to click the configure google oauth" each time after logging in the bubble user, then make the get call to make the data show

I am wondering if the debug or testing link causes this?

Yes its possible. Did you try without?
Dont forget that when you set the call in api connector, Bubble ask you to use debug mode to be able to initialize call.

@kevdevone Bubble dose handle the refresh process for you, but you may be running into an issue I, and others, have encountered that requires you to build the authentication process yourself so you have access to the token when using API workflows to retrieve info from the 3rd party API.

1 Like

I think also that using mutiple login can create this kind of issue

Thank you @Kfawcett. I did see this post in my research. It is basically similar to what I"m trying to do. I was hoping someone would have created a sample and explanation of best practices around handling the token securely. Actually, I was hoping there was an easier way than rebuilding that entire process. I wanted to be sure before I jumped into it. Did you get your process working with oauth and offline use of the accounts? Any tips would be appreciated.

@Jici Not sure what you mean by multiple login?

Using different Social network account at the same time.

Thanks @jici I’m not sure how I would get around that. I am connecting to ms graph calendar, google calendar and zoom. all through oauth. I am not creating separate bubble accounts and rather using the built in account connection that it does behind the scenes.

I can’t seem to figure out why I have to social login and accept perms each time. Bubble I’d love to see a best practice/guide on this as it seems a pretty common use case for many. Any further tips would be greatly appreciated!

Yes, I built one process for Google and one for Microsoft. It’s not too complicated once you figure out the steps. Unfortunately I don’t have time to create a write up of those steps.

Be careful going too far down the path with Google unless you are sure you will not require any of their restricted scopes.

Thanks @kfawcett. Couple quick questions that would be huge:

  1. so for both google and microsoft you rebuilt the entire oauth process storing the toke and manually doing the refreshes?
  2. If yes to above, how did you end up storing the token and securing it?
  3. How did you work the schedule of refreshing the token? did you have processes that needed to run while the user was not logged in?

appreciate it very much!!!

Hi!
Just let you know that I have test a few thing with the Google API and actually is working fine. Seem that if you choose to activate the offline, this may not work. Not sure if this is an issue (you can send a support ticket maybe?)
Here’s my actual setting that I use and didn’t need to relogin.

Currently testing with all three. After more than 4hour. Didn’t get log out for any of them. Will tell you tomorrow if I’m always logged in.

@jici just checking in to see how your tests followed up? In the dev environment, it seems to still require me to sign in to office 365, google and zoom after some period. I’m still using the api connector.