Saviynt Forums

kumarv · ‎03/22/2024

The connection JSON which i am using for Azure AD integration the Access Token is expiring very frequently.

The connection is taken from the Azure AD integration guide only.

The access Token is working for one day and next day when i perform the group management, the create Group, update Group... are not working with 401 authorization.

I have attached the connection Json for reference.

attached logs for reference.

[This message has been edited by moderator to merge reply comment]

Falcon · ‎03/22/2024

Disclaimer - This is an AI generated response and feedback will be used to fine tune.

The issue you're encountering with the Azure AD integration and the access token expiring frequently is tied to the nature of OAuth2 client credentials flow, which your ConnectionJSON indicates you are using. This flow is intended for server-to-server communication without user interaction, and tokens obtained through this method typically have a fixed, relatively short lifespan.

Understanding the Token Expiry

In Azure AD, the default expiration time for tokens obtained via the client credentials flow is usually 1 hour, although it can be configured up to 24 hours. If your operations span across days, you will indeed encounter expired tokens, necessitating a new token request.

Automatically Handling Token Refresh

Your ConnectionJSON seems to be set up correctly for initially obtaining an access token. However, ensuring seamless operation over multiple days requires implementing a mechanism to automatically refresh the token once expired. While your JSON configuration specifies retryFailureStatusCode to retry on a 401 Unauthorized error, this alone does not automatically refresh the token.

Suggested Adjustments

Automatic Token Refresh: Ensure your integration logic (outside of this JSON configuration) detects when a 401 status code is received and then automatically initiates a new token request before retrying the failed request. This usually involves:
- Catching the 401 Unauthorized error.
- Making a new request to the token endpoint (https://login.microsoftonline.com/*****************/oauth2/token) with the same httpParams.
- Updating the accessToken with the new token received.
Dynamic Token Management: Instead of hardcoding "accessToken": "Bearer ABCD", your system should dynamically insert the latest token into your API requests. The token should be stored in a secure manner and updated every time a new token is obtained.
Review Token Expiry Settings: Although not always feasible, review if the token expiry settings in Azure AD for your application can be adjusted to fit your use case better. However, this is generally not recommended as shorter lifespans are better for security.

rushikeshvartak · ‎03/24/2024

{
  "authentications": {
    "userAuth": {
      "authType": "oauth2",
      "url": "https://login.microsoftonline.com/<>/oauth2/token",
      "httpMethod": "POST",
      "httpParams": {
        "grant_type": "client_credentials",
        "client_secret": "2",
        "client_id": "",
        "resource": "https://graph.microsoft.com"
      },
      "httpHeaders": {
        "contentType": "application/x-www-form-urlencoded"
      },
      "httpContentType": "application/x-www-form-urlencoded",
      "expiryError": "ExpiredAuthenticationToken",
      "authError": [
        "InvalidAuthenticationToken"
      ],
      "retryFailureStatusCode": [
        401
      ],
      "timeOutError": "Read timed out",
      "errorPath": "error.code",
      "maxRefreshTryCount": 5,
      "tokenResponsePath": "access_token",
      "tokenType": "Bearer",
      "accessToken": "Bearer abc"
    }
  }
}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.