My issue is how to configure a custom connector in Power Automate/Power Apps to do a refresh token call with Docusign to keep access tokens valid avoiding users to have to log in a couple of times during the day.
I have been able to make custom connectors for user authentication with Docusign (Oauth2) and sending envelopes for signature etc. So have a good working knowledge of Custom connectors and using these in Power Automate and Power Apps.
I have successfully configured Postman to POST a request to Docusign (Demo site) to refresh the access token (new access token and new refresh token). I am receiving the full json payload back from docusign as follows:
{
"access_token": "eyJ0eXAiOiJNVCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiNjgxODVmZjEtNGU1MS00Y2U5LWFmMWMtNjg5ODEyMjAzMzE3In0.AQoAAAABAAUABwAAMdMo6AjZSAgAAHH2NisJ2UgCAOid-3Oz8jJHsDvIUG5hRR8VAAEAAAAYAAEAAAAKAAAADQAkAAAAZjA5Y2U4NDQtM2U5Yy00NjEzLTkwNzctNGY5MmFhY2NjZTc4IgAkAAAAZjA5Y2U4NDQtM2U5Yy00NjEzLTkwNzctNGY5MmFhY2NjZTc4MAAACeRizwjZSDcAQQ4yjgnYb0mjVFoiOzvttQ.tJMn4eTF_3sJwUiCugaH-zv9pzu8GrOXOWq0bhvmhrF-WG3scES4KxTtDMd7hmuasap_S_YBAKH-CrFfzY55tJU7tS64TowkX8UJfBJRvdurUrFsJHz4kcIPFm-1XI48XSoJbNK0eb_-U5CG3WVySSZXP-998a0y0TYZtQERaFkJNv6qEsw3Iykl3sDHDFjG9BXK7OrlnK-fkT-wQHbu_IghgnNS_gMI_qXVCNyxE4EJdChfkkLUAjmKt2mNQYhLb7gV1XOwtHgrowyWRXAM1ViXrOuyo60yVatmfo6yKcO9A5Cd_qVSP3owIXAQthkb72nwRP8o6n2ClU2U8Dp-Gw",
"token_type": "Bearer",
"refresh_token": "eyJ0eXAiOiJNVCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiNjgxODVmZjEtNGU1MS00Y2U5LWFmMWMtNjg5ODEyMjAzMzE3In0.AQoAAAABAAgABwAAMdMo6AjZSAgAALE3IXsg2UgCAOid-3Oz8jJHsDvIUG5hRR8VAAEAAAAYAAEAAAAKAAAADQAkAAAAZjA5Y2U4NDQtM2U5Yy00NjEzLTkwNzctNGY5MmFhY2NjZTc4IgAkAAAAZjA5Y2U4NDQtM2U5Yy00NjEzLTkwNzctNGY5MmFhY2NjZTc4MAAACeRizwjZSDcAQQ4yjgnYb0mjVFoiOzvttQ.c0aUX8xcLBtDN256v4pnkirdeprnygZoRl0-zfpE7qxO3BkHpma5ik0uZS_T5KY6TW89vZOk9TDxT-I20Gh8kgeaK4N7xxmmh772qRPUQo16vc9i4RAsKJxDv4B0f_prH9TWr2j83bxSs_JhlHXnvMdV6vV4hZr5_z640MvLe6L74lNUS8nSLKrUDor0TFlCgzqRLp4GZrDMdgRpZFIfOmshgvgAeLR4oDhLqIPN7Z0FT385B9-KH6yeI9gCt4Ddu2CV2cKbgnnd02XOrNuv1M-IwYjzQ7XMlDsrdL4u5Y9TKnZW2Nia02Xt_IENyZ_TKtAO0ZNEXMg4kMEZqaKypQ",
"expires_in": 28800}
I understand that I can use the new refresh token in this payload in 8 hours to do another refresh etc.
I now want to create a Power Automate flow to run a custom connector that requests the same refresh token every 8 hours. I have done extensive research and not really see any options for this (and that Power Automate only supports Postman Collections V1 and not V2 so that is not helpful) so am having to work this out.
Specifically, as I am making a POST REST API call to Docusign, it is not a full Oauth2 call as I am using the refresh token (refresh token not expired). I noted in the Postman example, I had to force session authorization as the Base64 code for the Integration key concatenated with the secret key prefixed by the text "Basic" resulting in an Authorization string as follows:
Basic ZjA5Y2U4NBQtM2U5Yy00NjEzLTkwwzctNGY5MmFhY2Ninja4OmZjYmI3MzhjLTQ0ZWUtNDA3MS040dhiLTViNjEzNGFlMTc30A== (example only)
Using this in the header along with Content-Type, Accept and Scope set to 'extend' in the header and setting grant_type as refresh_token and refresh_token to the actual token value results in a correct response.
While Oauth2 involves full authentication using the integration key and secret key as well as the redirect URL, A refresh token does not need this.
To date, I have tried using the API Key approach to the custom connector and inserted the authorization string as listed above. It appears to accept the authorization string however, I receive an error message of "invalid_grant".
Looking at the request, it appears as follows:
{"Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyIsImtpZCI6Im5PbzNaRHJPRFhFSzFqS1doWHNsSFJfS1hFZyJ9.eyJhdWQiOiJodHRwczovL2FwaWh1Yi5henVyZS5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZDk1MjJmNi01NjZlLTQ1ZWMtYjFlNC01MjJmOTJiMDU0OTkvIiwiaWF0IjoxNjE5NTI4MTEwLCJuYmYiOjE2MTk1MjgxMTAsImV4cCI6MTYxOTUzMjAxMCwiYWNyIjoiMSIsImFpbyI6IkFVUUF1LzhUQUFBQWJld0ZsaGhET2grSkg3WlFpT1JXd0JoVkg0UXQwMDErWG9ldk45WXBVRHYrTXpIRDlrVUc3U1RqakRlcjl1Y0d2Y2Fvb2wvVURMcEVLakk1bE04bTZ3PT0iLCJhbXIiOlsicHdkIiwibWZhIl0sImFwcGlkIjoiNjIwNGMxZDEtNDcxMi00YzQ2LWE3ZDktM2VkNjNkOTkyNjgyIiwiYXBwaWRhY3IiOiIyIiwiZmFtaWx5X25hbWUiOiJCb3lsZSIsImdpdmVuX25hbWUiOiJSaWNraSIsImlwYWRkciI6IjUwLjgyLjE3Ni4xNjUiLCJuYW1lIjoiQm95bGUsIFJpY2tpIiwib2lkIjoiMGIwNTZiMTQtZGQwOS00ZDA2LTlmYmMtYmRkZTU0ZGZlNDExIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTM5Mzc2NjAxMDAtMjYyMDEwOTU1OS0yOTY1ODM5MjAxLTY1ODEzIiwicHVpZCI6IjEwMDMyMDAwNDBDMzZCNTYiLCJyaCI6IjAuQVNjQTlpS1ZYVzVXN0VXeDVGSXZrckJVbWRIQkJHSVNSMFpNcDlrLTFqMlpKb0luQUpJLiIsInNjcCI6InVzZXJfaW1wZXJzb25hdGlvbiIsInN1YiI6IlRhZzl5Y3RXLVlwY1NsMjU2bGFJS3EtU2RPYXhMSEpnMWtyVXhiSVhjNkUiLCJ0aWQiOiI1ZDk1MjJmNi01NjZlLTQ1ZWMtYjFlNC01MjJmOTJiMDU0OTkiLCJ1bmlxdWVfbmFtZSI6InJib3lsZUBjaGVuZWdhLmNvbSIsInVwbiI6InJib3lsZUBjaGVuZWdhLmNvbSIsInV0aSI6Ii1aUW1nMEZid2syT3gtQXRWVXNLQVEiLCJ2ZXIiOiIxLjAifQ.luRgs4pprJBM7YjB0W-nJJv-7E2zgxslxzwSR4TBsOLseTN5u7aQT5uadqwoXOKxPksgPIWWkgodsU5Cbfh_2wcM4-FaUa2pLmxLG7nemEbGnzbZ0eJLvRTyZCYDnbeOwAgreHNpNpeFWlOs6Jq79y7ibiyc3xMd2Uzaj0hbEli9mlF_z0MLRjZ5pke3uRlvecuyUz6TXxdCaVB_vbM9Ic7sYLny8cHh715J3SL0mprLmL3esaVaXY6qvq6SxIKQcU0vX9lMjZaK8jAAmJ2fpUrDMlgU8cP5hw1g3mIWvfiJoK8N7a42JxKCXE-WQK-bfmBzg-euH4JFOzv07w_ESw","Content-Type": "application/x-www-form-urlencoded","Accept":"application/json","Scope": "extended"}
The body of the request is as follows:
{ "grant_type": "refresh_token", "refresh_token": "eyJ0eXAiOiJNVCIsImFsZyI6IlJTMjU2Iiwia2lkIjoiNjgxODVmZjEtNGU1MS00Y2U5LWFmMWMtNjg5ODEyMjAzMzE3In0.AQoAAAABAAgABwAA26qofAnZSAgAAFsPoQ8h2UgCAOid-3Oz8jJHsDvIUG5hRR8VAAEAAAAYAAEAAAAKAAAADQAkAAAAZjA5Y2U4NDQtM2U5Yy00NjEzLTkwNzctNGY5MmFhY2NjZTc4IgAkAAAAZjA5Y2U4NDQtM2U5Yy00NjEzLTkwNzctNGY5MmFhY2NjZTc4MAAACeRizwjZSDcAQQ4yjgnYb0mjVFoiOzvttQ.zbQWTuYN7Jf_3O5n4zLfZ7ykkELBlLwhmUI9pHEPiAsZKJH-RsEQLS4Wb3wP9ni6s9ErbdNGkdc6O6pVTxi4SNkljP3YDEUezMPK4PakMgprZ9an_1c2gIh4lqfLa532djL3s143OPuhtsQITZzyvy3hXYC3dyYFyYljjFLD4p9dC5CprU8Db0Tjx1iBhwNt-lh3C85m92xh6mUyETNCqDF_RoV4jeIJdwDNq7eX_u1TXONchVCV8O66DZZRvI9Ig0PXza7Dm0_neaJ5N5-l0TXsbeAGWu8IqwTGjVWRWjxzsT6IgxcXTynPci9HoNhS7bU4BnlRnuqMbCqAopInjA" }
It appears that it is including the prior/expired access token in header of the request where this is not required to using the refresh token. I think my error is occurring as a result of the custom connector not configured correctly to make this call and including the Bearer access token.
Basic authentication does not work nor does it seem No authentication works as custom connector security configurations.
I am looking for guidance on how to correctly configure the custom connectors in Power Automate/Power Apps to use the authorization code with a refresh token with Docusign to get a new access token without having the user to log in once the access token has expired.
Thank you.
I ended up using the HTTP step in Power Automate to POST the refresh request and returned a body into Power Automate with the new access token and refresh token which I then save in a secure SP list. It is running on a schedule that keeps the tokens current for the application. I have found issues with Custom Connectors, in particular when a connector uses Oauth2, it will 'FAIL' a connection after the user tokens have expired and NOT prompt the user to sign in when using the custom connector again.