Microsoft PowerApps OAuth 2.0 Code Grant Flow Issues

We were able to set up a custom connector on the Microsoft Power Platform that utilizes the OAuth 2.0 flow to authenticate with Foundry as a third party app. It works great for connecting to Foundry Ontology object types and action types. The trouble, unfortunately, is that our authorization token is expiring after an hour, and we have to manually re-authorize the application.

It seems that there should be automatic handling of the refresh token when the access token expires. Other connections we have created using this same authentication method do not require us to re-authorize, as the refresh is handled by the backend APIM service.

Is there a scope or configuration setting somewhere on either side I am missing that would make this work properly? Its great in testing, but in production this hour timeout would make it less that useful to our business end users.

Did you request scope offline_access in the authorization code grant? Only than a refresh token is returned.

Edit: We do have a similar issue in Tableau, where Tableau is not able to refresh the Foundry token in the backend. This is due to Foundry Multipass Team interpreting the oauth2 spec more strictly than other providers - once a new refresh_token is provided, the old refresh_token will be invalidated more or less immediately.

I can imagine that PowerAutomate can also not work with that strict interpretation…

Thanks for the response, it was indeed the lack of the offline_access scope that prevented our refresh from working as expected. We noticed this in the docs, but implemented it incorrectly, upon more careful inspection.

Testing this morning, the refresh is working properly with PowerApps.

2 Likes