I’ve successfully implemented the initial OAuth flow for my Custom GPT actions, and during the first request, OpenAI correctly includes the ‘client_id’ and ‘client_secret.’ However, I’ve encountered an issue during token refresh. After the access token expires, OpenAI sends a request to my ‘Token URL’ with ‘grant_type’: ‘refresh_token.’ Unfortunately, this refresh request appears to contain incorrect ‘client_id’ and ‘client_secret,’ causing it to fail.
Have you managed to resolve this problem?
1 Like
I have narrowed down this issue. When using oauth for custom action authentication, only the first-ever values entered in the client id / secret fields for a given domain are ever valid. The gpt will use a subsequently entered secret in the payload for calls to api endpoints, but only the first-entered value continues to be included in the payload for calls to the token url when refreshing the access token. This holds true across gpts and across openai user accounts: if another account creates a gpt with an action utilizing the same domain, they will be unable to use their own client id / secret, and will be able to retrieve the first-entered secret when the gpt tries to use it to refresh the access token. This seems to be a serious security flaw.
1 Like