How to handle refresh token in Outsystems ?
Question
Application Type
Mobile

Hi,

I have an application in which I am consuming REST apis for all the purposes. There is jwt token based authentication enabled in those REST apis and I need a way to be able to handle refresh token. 

So, basically for all the consumed REST apis, we need a common place where we can add a common logic to check for 401 status code and then call the refresh token API to get the new access token and retry the API (the one which failed with 401) with new access token.

Also, we should be able to replace the jwt access token (stored in local-storage) with the new access token received.


How can we acheive this in Outsystems ? Please let me know if we have any way to solve this.


Thanks


mvp_badge
MVP
Solution

I don't think you can. The On Before Request is called before the request is called, so at that point you don't know whether the call will fail because of an expired token.

Also, using the On After Response won't help, as you can't retry the call from there.

Hello Sanjay,


Easiest way is to create a database entity where you keep the latest token and its expiration date. Whenever you are calling the APIs you can check the token from database if it's valid and if not you just fetch a new one and update your record in the database. That means that subsequent calls will use this valid token.


Regards,
Bogdan

Hi Bogdan,

Thanks for your response.

Your solution looks good but I still feel we will have to go to each API and add that logic.

Is it possible to have something like an error interceptor for all API calls where we can add this logic at a single place without making changes in each API flow ?


Hi Sanjay, you can do that in the OnBeforeRequest action of the API - it will be once per API, not per each method. Also, you should mark Bogdan's answer as solution as indeed, that is the solution :) 


mvp_badge
MVP
Solution

I don't think you can. The On Before Request is called before the request is called, so at that point you don't know whether the call will fail because of an expired token.

Also, using the On After Response won't help, as you can't retry the call from there.

mvp_badge
MVP

Hi Sanjay,

Unfortunately, as far as I'm aware, the OutSystems Platform does not provide any way of doing that in a generic fashion. You will need to add the logic in every wrapper action for each REST method.

Also, you may need to add some logic in the On After Response, to catch the 401 (and make it a 200) to prevent a generic exception being raised instead of you being able to check the result programmatically.

Hi Kilian,


If you save in the same table where you save your access token and refresh token the timestamps when these expire (which are received in the auth in UTC), you can easily check in OnBeforeRequest if timestamp > CurrDateTime().

Don't you agree?

mvp_badge
MVP

Well yes, but a) you may not know what the expiration time is and b) there's no way to get a new token in the OnBeforeRequest. So you know it's going to fail, but there's nothing you can do about it...

For point a:

In most of the cases you get the expiration time (in all of the cases I've yet seen actually). Below we can see for example a standard call for /oauth2/token.

Also, these tokens have pretty standard values and the service provider can share this info with you. Most of the time, default value of the refresh token is 30 days, while access token and id tokens are 60 minutes. If these values are modified by the service provider, they can share this info with you directly, but it's also shared in the response of the APIs most of the time.


For point b:

Knowing already if the token is valid, you could easily request a new one with an additional refresh call in the OnBeforeRequest of any API. Something like this:

The wrapper simply calls for an update to the access token (same call at /oauth2/token with grant type - refresh_token) and updates the value of the token in the database (we call our table Session in this case)


mvp_badge
MVP

I may be wrong, but I don't think you can call a REST method inside the On Before Request of a REST service.

You are right.

I was investigating this topic today for integration with AWS Cognito but just managed to do an end to end test and indeed I get a 405 (method not allowed) if I try to call a REST service in OnBeforeRequest.

In this case, in my opinion it's a matter of creating a function that's checking the validity of the token from your table (as you store the expiry time) and refreshing the token + updating the values in the table afterwards. Afterwards, this function will be the first call in all the wrappers of each method used.

Thanks for your input, Kilian!

mvp_badge
MVP

Yeah, you could check first, then refresh if needed, or just call and if you get an expired warning handle that. But in both cases, there's no easy way to do it for all methods of a REST service, you need to handle it for every REST method (inside a wrapper).

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.