Skip to main content

I’m experiencing an issue with the OAuth Refresh Token connector. It does not seem to function well in Universal or as a scheduled system flow.

When changing the system flow and adding a table task to manually trigger the flow in the Windows GUI I successfully get a new access token with the current refresh token.

But when I manually trigger the flow from the Universal GUI, or let the system flow run automatically (after changing it back to a system flow by removing the table task) in the background it fails. It seems like it can’t find the client_id, even though the OAuth Server seems to be configured correctly (It works in the Windows GUI after all).

This is the errors I get in the Universal Indicium log:

2025-01-29T13:29:44.2598716+01:00 8000e24f-0000-e700-b63f-84710c7967bb 9ERR] Process action "oauth_refresh_token_connector_HMRC" in process flow "pf_hmrc_get_outcomes" in application 800 returned the following message: "invalid_request
client_id is required" (ec7db0a5)

2025-01-29T13:29:44.2599700+01:00 8000e24f-0000-e700-b63f-84710c7967bb 9ERR] Process action "oauth_refresh_token_connector_HMRC" in process flow "pf_hmrc_get_outcomes" in application 800 returned the following message: "Bad Request" (ec7db0a5)

 

My OAuth Server configuration in the SF (I have the same config for both the DEV and TEST branches):

 

My OAuth Server configuration in IAM:

 

I first thought it was because of firewalls blocking the calls on the web/indicium server. But I successfully made the calls manually through Postman on this server. The error mentioned above also suggest to me that it is not about a firewall.

I also tried changing the ‘Send client credentials’ setting to ‘As Basic Auth header’. But no luck.

For what it’s worth, we are on 2024.1.

Anybody any suggestions what it might be? What I’m doing wrong? Any input would be much appreciated.

Thanks in advance!

As a workaround, I replaced the OAuth refresh token connector with a normal http connector and collected the necessary variables myself using a decision.

Hi S Koning,

It looks like the “Send client credentials” setting is not working in Indicium when configured on the OAuth server. It does work when configured for OpenID providers in IAM.

I will add a story on our backlog to make sure this will get fixed on our end.

Probably, the reason it is working on Windows, is due to the Windows GUI using an older version of the library that we use to implement the OAuth specification. The older version used the “Request body” style.
Indicium uses a newer version of the library that follows the RFC more closely, and uses the “Header” style.

According to the RFC, the “header” style is the better way to authenticate when using OAuth servers and the “Request body” authentication option is not recommended. Of course, when the OAuth server only implements the latter, it should still be possible to connect to it. (It seems the OAuth server of the tax-service falls into this category). 

Anyway, we will get this sorted out and make sure Indicium supports both modes correctly and uses the one that is configured in the model!

Reply


Terms & ConditionsCookie settings