8.4
Hi all,
I have a Web Service Connector application which I want to implement OAuth2 as Authentication. Would like to check because the authentication will return an API token and it is to be used as Authorisation, do I need to specify it in my operations (highlighted in yelow)? Or SailPoint will by default read this value?
Hi @shijingg,
You don’t need to manually specify the authorization token in each operation. The connector will handle itself.
Try creating a test connection operation and test the connectivity. Once successful, create rest of the operation.
Even for the refresh token which the authentication will return will be automatically handled?
No, you will have to handle it explicitly
No—don’t add an Authorization header yourself.
In IdentityIQ’s Web Service Connector, when you pick Authentication Method = OAuth2 and fill in the token URL / client id / client secret (Client Credentials flow), IIQ will:
Call the token endpoint,
Cache the access_token until expiry,
Automatically inject Authorization: Bearer <access_token> on every request (including /health and all operations).
So you only need headers like Content-Type. If you also add your own Authorization header in the operation it can conflict or be duplicated—leave it blank.
Only handle it yourself if the target API expects the token somewhere other than the standard Authorization: Bearer … (e.g., a custom header or query param). In that rare case you’d keep OAuth2 for token retrieval and move/copy the token in a Before Operation rule; otherwise the default behavior is sufficient.
Cheers!!!
Hi @sukanta_biswas ,
What about refresh_token?
The OAuth2 token returns a refresh_token does it need to be persisted? Because intermittently we are getting an error saying that the refresh_token is empty. Does SailPoint automatically know when the refresh_token is expired and perform the necessary?
Below is an example of how the response after calling the authentication looks like:
{
"access_token":xxx,
"token_type":xxx,
"expires_in":xxx,
"refresh_token":xxx,
"refresh_token_expires_in":xxx,
"scope":xxx
}
I am currently getting this error Exception during aggregation of Object Type Group on Application *****. Reason: java.lang.RuntimeException: sailpoint.connector.ConnectorException: Error: Refresh Token cannot be empty.
I think it is due to the refresh_token not persisting how do I make it persist?
Refresh token will not be issued for client_credentials flow, can you check if the flow is correct?
Hi, as shared, during authentication, a refresh_token is returned. How do I persist the refresh token?
{
"access_token":xxx,
"token_type":xxx,
"expires_in":xxx,
"refresh_token":xxx,
"refresh_token_expires_in":xxx,
"scope":xxx
}
Is the response from a rest client (like postman)? if yes would you be able to check the body that’s being sent for the token generation?
There will be an entry in the application xml (in debug) called “oauthTokenInfo” (in encrypted format) which contains the whole response that’s received during the token generation.
access_token and refresh_token are stored in accesstoken & refresh_token attributes respectively in the application.
I still believe that oauth flow is not client credentials as the auth server is responding with a refresh token. Please check the API documentation and confirm the flow.
access_token and refresh_token are stored in accesstoken & refresh_token attributes respectively in the application.
Based on your statement, does this mean as long the values are returned SailPoint will automatically use those values?
It will be used generally but as your grant type is client credentials only access token would be used.
Hi @BhuvaneshGeddam , if I require refresh_token which is a dynamic returned value during access token generation, how should I set it up in SailPoint?
Hi @ajmerasunny @naveenkumar3 @sukanta_biswas , will IIQ refresh the token when expired? Or we need to handle this?