Skip to main content
Question

Logic Apps Custom Connector security issue

Alexander Heinze
Superhero (Employee)
Forum|alt.badge.img+23

I have created a Logic Apps Custom Connector (imported the OpenAPI v3 definition into Postman and used the Postman collection for the connector) with the following security settings:

The connection is created successfully and the Logic App using the new connector works perfectly. However, running the same Logic App again after 2 hours I get a 401 error “scope=\"openid microprofile-jwt\" error=\"invalid_token\" error_description=\"jwt signature verification failed: 'exp' claim expired at Wed, 09 Apr 2025 07:19:43 GMT\

Reviewing the Connection I see

On the connection I get "Failed to refresh access token for service: oauth2. Correlation Id=5b637509-4626-4d68-a5ad-0a1fdb3da129, UTC TimeStamp=4/9/2025 9:20:08 AM, Error: OAuth 2 access token refresh failed. Client ID and secret sent in form body.. Response status code=BadRequest. Response body: {"error":"invalid_grant","error_description":"Token is not active"}"

 

I’m not a security expert, hence every suggestion is much appreciated.

If one of the responses resolves your issue, please use "Best Answer" so that the thread can be closed and others find solutions easier.

4 replies

dsj
Ultimate Hero (Partner)
Forum|alt.badge.img+22
  • dsj
  • Ultimate Hero (Partner)
  • 862 replies
  • April 9, 2025

Hi ​@Alexander Heinze 

 

Prior to 24R2, the IAM client refresh token validity is 2 hrs, which means you need to obtain a new access token by logging in.

As a quick fix, you can go to the Connections in Power Automate and do the ‘Fix Connection’ for the connector connection to obtain a new token.

 

If you are building an automated flow using logic apps, a customer connector may not be the ideal solution. You may call the IFS projection endpoints using the generic HTTP connector available in power platform and fetch a token before invoking the projection and add in the request.

You can get some idea on my blog post below :)

https://dsj23.me/2025/01/01/creating-a-file-reader-for-ifs-cloud-using-microsoft-power-automate-and-onedrive/

 

If you are building a Powerapps app, then a custom connector would be a good choice since the users can re-login in the app once the token is expired.

 

Hope it helps!

Damith

DSJ - https://dsj23.me
Alexander Heinze
Superhero (Employee)
Forum|alt.badge.img+23
dsj wrote:

Hi ​@Alexander Heinze 

 

Prior to 24R2, the IAM client refresh token validity is 2 hrs, which means you need to obtain a new access token by logging in.

As a quick fix, you can go to the Connections in Power Automate and do the ‘Fix Connection’ for the connector connection to obtain a new token.

 

If you are building an automated flow using logic apps, a customer connector may not be the ideal solution. You may call the IFS projection endpoints using the generic HTTP connector available in power platform and fetch a token before invoking the projection and add in the request.

You can get some idea on my blog post below :)

https://dsj23.me/2025/01/01/creating-a-file-reader-for-ifs-cloud-using-microsoft-power-automate-and-onedrive/

 

If you are building a Powerapps app, then a custom connector would be a good choice since the users can re-login in the app once the token is expired.

 

Hope it helps!

Damith

Hi Damith,

 

That confirms my conclusion. I have already moved from Power Automate to Logic Apps because the Flows had significant limitations. And now it seems that I also need to move from the custom connector to generic HTTP.

 

Unless someone comes up with a better fix...

If one of the responses resolves your issue, please use "Best Answer" so that the thread can be closed and others find solutions easier.
dsj
Ultimate Hero (Partner)
Forum|alt.badge.img+22
  • dsj
  • Ultimate Hero (Partner)
  • 862 replies
  • April 9, 2025

Hi ​@Alexander Heinze 

 

With the Sessions and Tokens Configuration in 24R2, you can create a IAM client to have a longer session lifespan which is one workaround. but it comes with the price of security concerns.

Client Credential is not supported in custom connectors, so I think it generic HTTP connector would be the only viable option available.

Specify connection parameters | Microsoft Learn

 

Regards,

Damith

DSJ - https://dsj23.me
D
Do Gooder (Partner)
Forum|alt.badge.img
  • dileepam
  • Do Gooder (Partner)
  • 1 reply
  • April 12, 2025

I'm using IFS 24 R2. When I try to refresh the token from Postman,

{

    "error": "invalid_grant",

    "error_description": "Token is not active"

}
But this refresh token flow worked a month back. Could not find what the issue is here.

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings