Skip to main content

I have created a Logic Apps Custom Connector (imported the OpenAPI v3 definition into Postman and used the Postman collection for the connector) with the following security settings:

The connection is created successfully and the Logic App using the new connector works perfectly. However, running the same Logic App again after 2 hours I get a 401 error “scope=\"openid microprofile-jwt\" error=\"invalid_token\" error_description=\"jwt signature verification failed: 'exp' claim expired at Wed, 09 Apr 2025 07:19:43 GMT\

Reviewing the Connection I see

On the connection I get "Failed to refresh access token for service: oauth2. Correlation Id=5b637509-4626-4d68-a5ad-0a1fdb3da129, UTC TimeStamp=4/9/2025 9:20:08 AM, Error: OAuth 2 access token refresh failed. Client ID and secret sent in form body.. Response status code=BadRequest. Response body: {"error":"invalid_grant","error_description":"Token is not active"}"

 

I’m not a security expert, hence every suggestion is much appreciated.

Hi ​@Alexander Heinze 

 

Prior to 24R2, the IAM client refresh token validity is 2 hrs, which means you need to obtain a new access token by logging in.

As a quick fix, you can go to the Connections in Power Automate and do the ‘Fix Connection’ for the connector connection to obtain a new token.

 

If you are building an automated flow using logic apps, a customer connector may not be the ideal solution. You may call the IFS projection endpoints using the generic HTTP connector available in power platform and fetch a token before invoking the projection and add in the request.

You can get some idea on my blog post below :)

https://dsj23.me/2025/01/01/creating-a-file-reader-for-ifs-cloud-using-microsoft-power-automate-and-onedrive/

 

If you are building a Powerapps app, then a custom connector would be a good choice since the users can re-login in the app once the token is expired.

 

Hope it helps!

Damith

Hi ​@Alexander Heinze 

 

Prior to 24R2, the IAM client refresh token validity is 2 hrs, which means you need to obtain a new access token by logging in.

As a quick fix, you can go to the Connections in Power Automate and do the ‘Fix Connection’ for the connector connection to obtain a new token.

 

If you are building an automated flow using logic apps, a customer connector may not be the ideal solution. You may call the IFS projection endpoints using the generic HTTP connector available in power platform and fetch a token before invoking the projection and add in the request.

You can get some idea on my blog post below :)

https://dsj23.me/2025/01/01/creating-a-file-reader-for-ifs-cloud-using-microsoft-power-automate-and-onedrive/

 

If you are building a Powerapps app, then a custom connector would be a good choice since the users can re-login in the app once the token is expired.

 

Hope it helps!

Damith

Hi Damith,

 

That confirms my conclusion. I have already moved from Power Automate to Logic Apps because the Flows had significant limitations. And now it seems that I also need to move from the custom connector to generic HTTP.

 

Unless someone comes up with a better fix...

Hi ​@Alexander Heinze 

 

With the Sessions and Tokens Configuration in 24R2, you can create a IAM client to have a longer session lifespan which is one workaround. but it comes with the price of security concerns.

Client Credential is not supported in custom connectors, so I think it generic HTTP connector would be the only viable option available.

Specify connection parameters | Microsoft Learn

 

Regards,

Damith

I'm using IFS 24 R2. When I try to refresh the token from Postman,

{

    "error": "invalid_grant",

    "error_description": "Token is not active"

}
But this refresh token flow worked a month back. Could not find what the issue is here.

Reply


Terms & ConditionsCookie settings