fix(oauth): persist rotated Microsoft refresh tokens#4554
Conversation
Microsoft Entra rotates refresh tokens on every refresh and expects clients to replace the stored token with the new one. The Microsoft provider config was missing supportsRefreshTokenRotation, so the rotated refresh_token returned by Azure AD was silently discarded and the original token from initial OAuth connect was reused indefinitely — causing periodic 'Failed to refresh access token' errors for Excel, Teams, Outlook, OneDrive, SharePoint, Planner, AD, and Dataverse integrations.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Tests are extended to assert refresh-token rotation is applied across Microsoft base and service provider IDs (e.g., Reviewed by Cursor Bugbot for commit fd885f2. Configure here. |
Greptile SummaryThis PR fixes a token-refresh bug for Microsoft OAuth integrations by adding
Confidence Score: 5/5Safe to merge — the change is a targeted one-line flag addition with no behavioural side-effects for non-Microsoft providers. The fix is minimal and isolated to the Microsoft provider branch. The getBaseProviderForService mapping already ensures all nine Microsoft sub-provider IDs resolve to the microsoft case before getProviderAuthConfig is called, so the single flag addition covers every affected integration. The persistence path in utils.ts already correctly saves the rotated token. The new test validates all nine providers end-to-end and the existing test suite is intact. No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[refreshOAuthToken called with any Microsoft provider ID] --> B[getBaseProviderForService]
B --> C{Is it a sub-provider?}
C -- yes --> D[Map to base provider: microsoft]
C -- no --> D
D --> E[getProviderAuthConfig microsoft]
E --> F[config with supportsRefreshTokenRotation enabled]
F --> G[POST to Microsoft token endpoint]
G --> H[Response contains rotated token]
H --> I{supportsRefreshTokenRotation?}
I -- true, after this fix --> J[Capture rotated token]
I -- false, before this fix --> K[Discard rotated token, reuse old one]
J --> L[Return new accessToken and rotated refreshToken]
L --> M[Persist rotated token to DB]
Reviews (2): Last reviewed commit: "test(oauth): cover hyphenated Microsoft ..." | Re-trigger Greptile |
|
@greptile-apps the hyphenated Microsoft provider IDs ( Pushed fd885f2 to extend the rotation test to cover all 9 Microsoft service IDs explicitly — all pass, confirming rotation works end-to-end for every Microsoft integration. |
|
That's correct and well-explained. Looking at the code flow:
The four non-hyphenated IDs ( The fd885f2 test extension covering all 9 service IDs end-to-end is a solid addition. The fix is correct and complete — good to merge. |
|
@greptile |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit fd885f2. Configure here.
Summary
apps/sim/lib/oauth/oauth.tswas missingsupportsRefreshTokenRotation, so the rotatedrefresh_tokenfrom Azure AD was silently discarded and the original token from initial OAuth connect was reused indefinitely.Failed to refresh access tokenfailures (~monthly) for Excel, Teams, Outlook, OneDrive, SharePoint, Planner, AD, and Dataverse integrations even on daily-running workflows.supportsRefreshTokenRotation: trueon the Microsoft branch. Persistence inapps/sim/app/api/auth/oauth/utils.tsalready writes the new token back when returned.Type of Change
Testing
microsoft,outlook,onedrive,sharepoint) capture the rotatedrefresh_tokenfrom the token response.Checklist