Using a third-party OAuth access token - expired secret | Community
Skip to main content

Using a third-party OAuth access token - expired secret

  • November 29, 2023
  • 6 replies
  • 0 views
O

Hello!
I am implementing a Support App with ZAF and React and I am using a third-party OAuth access token to make calls to an external API, as described here, by adding an oauth object in manifest.json.

The problem that I am facing is that the SECRET generated by the third-party service expires and so the token can't be refreshed and my authentication is lost.

Updating the SECRET value in the manifest file forces me to re-publishing the app in the Zendesk Marketplace. How could I avoid that? Could I maybe set the secret at installation and not directly in the manifest file?

Thank you!

    6 replies

    Greg29
    • Greg29
    • November 29, 2023

    Hi Oana! That is a new one for me, which must mean that I'm getting behind the times on security protocols. Automatically refreshing the client_secret seems like it's going to cause problems everywhere, so I googled it to try to find some information and I can't find any details. Would you mind sharing the documentation for the OAuth provider you're using so that I can dig into this for you?

    O
    • Oana11
    • Author
    • December 18, 2023

    Hello Greg!

    The provider is Azure Active Directory B2C: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow

    Thanks for looking into this!

    Greg29
    • Greg29
    • December 26, 2023

    Thanks for providing that! I took a look at those docs and the refresh aspect was actually for the token, not for the secret, which is expected and totally functional with Azure. In the docs you shared, you'll see that we can automatically refresh the token if the access token response contains an `expires_in` and `refresh_token` value. When I looked through the docs from Azure that you sent, the payload response does include both of those values, so you should be in good shape!

    If I missed something in the Azure docs about the client_secret refreshing, please let me know.

    Kithiyon
    • Kithiyon
    • January 2, 2024

    Hello @greg29

    I'm also facing the same issue. I am making an OAuth authentication with Zoho. The response from the authentication request has the expires_in and refresh_token values. You can find this here

    O
    • Oana11
    • Author
    • January 3, 2024

    Hey Greg!

    As you can see in the attached image from the documentation, it says the client secret should be changed on a periodic basis. And from the portal the expiration date must be set in order to generate a secret(it's a mandatory field with a max allowed period of 2 years). And the client secret seems to be mandatory in Zendesk in order to generate an access and a refresh token. 

    D
    • Darian12
    • November 27, 2024

    Hello @Greg Katechis, 
     

    Do we have some updates on where we can keep the ‘client_secret’ outside of manifest.json such that we can change it whenever it expires or at a certain time, without actually having to re-publish the app ?

    Thank you!

    Terms & ConditionsCookie settingsAccessibility statement