Are you using 3rd party API for OAuth? Maybe refresh_token isn’t returned so when access_token is expired OpenAI service can’t obtain a new one? Or maybe it is returned but in non-standard format, for example, it is named differently or it returns a response that is structured in unusual way?
1 Like
dansh
8
That was it! Refresh token fixed it for me. Would be great to add to the docs!
2 Likes
Hey! I’m also working on an oauth flow and also wondering how to implement the refresh token flow.
I’m returning a refresh_token with my /token api.
What data will openai send to my server for refresh?
1 Like
adrien
10
Hi,
Thank you for your answer. Yes, I’m using a 3rd party OAuth so I don’t have control on what is generated.
I tested using the same parameters OpenAI sends when I install the plugin. Unfortunately my 3rd party doesn’t return any refresh_token…
Adding a specific parameter in the client_url fixes that, but I cannot configure it ai-plugin.json. I tried adding the request param without sucess.
Do you know a way I could add this kind of parameter in the client_url field ? Or any other way I could solve this issue ?
dansh
11
{“grant_type”:“refresh_token”,“client_id”:“CLIENT_ID”,“client_secret”:“CLIENT_SECRET”,“refresh_token”:“REFRESH_TOKEN”}
Does this get sent to the /token endpoint?
Thanks,
Colin
dansh
13
Yep! The body gets sent to the same /token endpoint
For what its worth, I am trying to get google as oauth provider to work with my plugin, and experience the same behaviour as OP: after plugin install everything works for a few hours. In the plugin code, I am able to query https://www.googleapis.com/oauth2/v3/userinfo with the bearer token passed by ChatGPT (so this is a correct access_token retrieved by ChatGPT on google’s authorization url)
Then at some point in the ChatGPT UI: 'User is missing credentials". This without a hit on the plugin api itself.
Auth part of my ai-plugin.json
"auth": {
"type": "oauth",
"client_url": "https://accounts.google.com/o/oauth2/v2/auth",
"authorization_url": "https://oauth2.googleapis.com/token",
"scope": "profile email",
"authorization_content_type":"application/x-www-form-urlencoded",
"verification_tokens": {
"openai": "khaskfhsklfhd"
}
},
the client_url and authorization_url match the ones advertized by google on https://accounts.google.com/.well-known/openid-configuration
There is not much else able to configure here. The same Oauth client config on google works fine (even after much time passed) when used with e.g. the nextauth.js demo application (https://github.com/nextauthjs/next-auth-example), so I am guessing the oauth client settings I created at google should be ok.
If anybody has any ideas left to try, would highly appreciate it!
We added a refresh token and it initially worked, but then a few days later I get:
Error getting system message: {“message”:“User is missing credentials”}
It seems that when the token is expired, OpenAI does not automatically call auth0 to obtain a new token.
In this case, I removed the plugin and re-added the plugin, afterward the plugin worked again, so it seems an issue on OpenAI side.
Any thoughts?
1 Like
Adding refresh token never worked for me. Not initially and not after reinstalling my plugin. After a period of not using the plugin I get:
Error getting system message: {“message”:“User is missing credentials”}
I’m using Google oauth. Could it have something to do with the authorization service you’re using?
We’re using auth0.
It would be really great to get an OpenAI moderator response on this. More users are running into this issue.
1 Like
If you’re using Google Oauth2 you can log yourself back in without re-installing your app, either in the browser, or using Postman. Use this URL:
https://accounts.google.com/o/oauth2/v2/auth?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&response_type=code&scope=REQUESTED_SCOPES&access_type=offline&prompt=consent
Replace YOUR_CLIENT_ID with your own Client ID, YOUR_REDIRECT_URI with your redirect URI, and scopes with your scopes. If you’re using another auth service I’m sure there’s a way to do the same thing, just replace the URL and put in the appropriate parameters.
Am I wrong to think that OpenAI already has the login endpoint and can simply call that when users need to reauthenticate?
Putting the burden on end users is probably not the solution.
3 Likes
If I understand it correctly, that’s what’s supposed to happen according to the documentation. It appears that either ChatGPT is not asking for a refresh token, or we’re not doing something right so that ChatGPT can get the refresh token.
We are sending the refresh token, that part works.
Any way we can get an OpenAI member to comment?
1 Like
Mine appears to be working now. I have not had the problem since yesterday and my original token has expired and was refreshed. My last token request was through Postman, though, not on install. I don’t know if that makes a difference. Also, I’ve made a dozen changes since I started troubleshooting it, so I’m not sure what worked. But I can share what I’ve done if it’s still not working for anyone.
tejas1
23
Having the same issue when using auth0. Im using a proxy endpoint so I can specify audience, is there something I can add there to make to make it work?
this is what im doing currently
https://community.openai.com/t/need-to-have-the-ability-to-add-an-audience-for-oauth-in-plugins/182418
How do you get your client id and redirect uri?
Please can you assist us, as I do not know how to get these.
1 Like
3o8
25
I have the same issue as OP using Microsoft Identity Platform (MIP) and an unverified plugin. MIP is definitely returning a refresh token. I feel like Open AI should detect the 401 response and direct the user to the authorization page to sign in again if the refresh token isn’t working for some reason.
1 Like
If you’re using a product like Auth0, or something like Google Oauth (any social oauth actually), you’ll find them in the configuration for your application. You have to set up an app as your target for authorization. And in that app, in the case of Auth0 it’s going to be on your dashboard under the app you configured to authenticate with, you’ll find that information. What are you using to authenticate?
