OAuth2 - back to basics (question)

I’m trying to understand a basic question I have with Oauth2 (PHP model), in this instance working with Azure.
To simplify the most the point I’m stuck at, here is my workflow:

This works well on an initial call, I get the access token from the OAuth2 Provider and can move on to the API action.

However, when the access token expires and I re-run this workflow, expecting to get a new session with the refresh token kicking in, I get this error:
{"error":{"code":"InvalidAuthenticationToken","message":"Access token is empty.","innerError":{"date":"2022-04-13T13:51:33","request-id":"98e8de25-9b84-4a7e-b579-b53054e06e31","client-request-id":"98e8de25-9b84-4a7e-b579-b53054e06e31"}}}

My goal is to have the sessions handled by Wappler rather than storing each token per user, and I fail to find a way to make this work, and based on other examples, I can’t see what I’m doing wrong.

Any help will be tremendously appreciated.

1 Like

For anyone that struggles with this, the following flow seems to work and may be of help with beginners - the flow stores tokens so one can swap between self-maintain and automatic sessions:

1 Like

Hi there,
I hope you may be able to help Nathaniel, I’m trying/struggling to authenticate Oauth2 for microsoft graph api, I was just wondering what headers/params you have set for your API action and OAuth2 provider?
All I keep getting are “InvalidAuthenticationToken”, message: “CompactToken parsing failed with error code: 80049217”
Many thanks in advance

Hi Jon,

Here is how I’ve set up the OAuth action:

and the api call:

Maybe make sure you’re using the Oauth2 as authenticator and that you don’t add a Bearer header to the API step, you’d be duplicating headers if you did, I presume. I seem to remember that the check SSL was important too.

I hope this helps!

1 Like

Thanks for the quick response (much appreciated) am testing now!
(I hope thats not your actual client id and secret if it is I’d delete / obscure it from the post.
Many thanks again,

Both the client and secret id have obscured digits :wink: .

Didnt See that :woman_facepalming:

If you don’t mind, what does your authorize step/flow look like?
Mine logs in through Microsoft fine, but I just keep getting either InvalidAuthenticationToken or empty when I run the api call.
I’ve tried rebuilding the app in Azure active directory and am running out of new things to try!
Thanks again for your time.


If you’re still stuck we can do a zoom and compare the manifests on Azure, and see if there is something obvious missing.

Thanks, it may come to that, I’ll have a last attempt this evening and may take you up on your offer if you have some time available.
Many thanks

Hi, did you ever manage to get this working? I feel like i’ve been through every Oauth post and keep ending up with the same result when trying to get it working with the MS Graph API. if you had any success it would be good to understand how you got it working.

Many Thanks

Not yet, having the same issue! I’m making progress but my current issue is with the access_token handling in wappler. I’m getting the correct responses from Microsoft graph (if I output the authorize step and don’t redirect it you can see the correct responses ). But the session variables for the tokens aren’t getting created/stored.
Where are you up to?
Between us I’m sure we can get there!
Cheers jon

The Oauth2 Authorize step creates 3 session variables, one of them called access token. The first thing to do is to check if this session exists, and if it doesn’t, then run that particular step in order to get an access and a refresh token. That’s effectively your login into the Graph API, in this case. If you want to handle the tokens manually, you can store them in a database, as well as the expiry time.
As long as you declare your Oauth2 provider, and then check for an active access_token session and run an authorize step if not, you api calls set to use your Oauth2 provider as authentication method should work pretty well.

Thanks, that’s my current stumbling block. It’s not creating/setting access_token , refresh_token or expiry_date session variables.
It’s creating a myOAuth2global_state session variable and it’s changing it every time I login with Microsoft but no others.
Managing them manually is the next step. Just can’t figure out why it’s not working under self maintain.

I’ve never heard of that global state session variable, Jon. Maybe @Teodor would have an idea? Are you using the latest version of Wappler?

Yes latest version. I’ve tried this with multiple projects, and different app registrations on azure ad.
I’m getting the token responses from Microsoft graph (visible if I output the authorize step), but it’s not setting the session variables.
If I try and set my own session variable after the authorize step it doesn’t get created (regardless of name or value) , but if I add it before it’s does work.
I’ll have to try and see if I can do a self managed database approach?
Thanks for your help

Do you use NodeJS or PHP?

The state session is for extra security, it is being passed to the external login page and being checked when redirected back. It should prevent logins that are not initialized from your website/app. The state session gets deleted again after the login redirected back and it should then create the session for the access_token.

I’m on php,
Interesting! That makes me unsure where I’m failing!
I’m returning from Microsoft with tokens but the state variable isn’t getting deleted and token variables created.
I’ve tried turning on debug mode and not had any errors returned anywhere.
Any ideas whats best to try next!
Thanks Jon

After it redirect back from the login it should have the state in the query string and this should be exactly the same as the one in the session, if they don’t match it will ignore the login.