OAuth2ClientCredentials authentication error

Pauline_Daniel · December 10, 2024, 5:11pm

I am getting an error when trying to use OAuth2ClientCredentials authorization. When viewing the error logs I see that the token URL is called using POST. I need it to be called using GET as the API doesn’t support the POST method. Is it possible to make a GET call instead?

Eric_Koleda · December 10, 2024, 7:40pm

Hi @Pauline_Daniel - Welcome to the Coda community! Unfortunately our OAuth2 authentication doesn’t support a GET request currently, and that is likely because the OAuth2 specification mandates a POST request:

The client MUST use the HTTP “POST” method when making access token requests.
RFC 6749 - The OAuth 2.0 Authorization Framework

It’s not uncommon however for API providers to differ from the spec. Can you point me to the documentation of this specific API?

Pauline_Daniel · December 11, 2024, 12:05pm

https://fim.us.fleetmatics.com/#/api/4a01c5a3-efb4-4bb1-8fb2-92de2eddceb0.fleetmatics-p-us/versions/e3f75607-351a-4dcd-b55a-130c2af9f228.fleetmatics-p-us/documents/Token%20API.htm

Eric_Koleda · December 11, 2024, 4:44pm

As mentioned in our chat, this API is using a custom token exchange, similar to but not compliant with the OAuth2 specification. Unfortunately that means the OAuth2 authentication type in the SDK can’t be used.

In general custom token exchanges aren’t supported in Packs, but you can sometimes work around it by manually fetching the token at the start of each execute function. Here’s an example that shows that pattern:

gist.github.com

https://gist.github.com/erickoledadevrel/e4a8ede4987013fcb7f18afd67633f64

zendesk.ts

import * as coda from "@codahq/packs-sdk";
export const pack = coda.newPack();

const ClientId = "...";
const ClientSecret = "...";

pack.addNetworkDomain("zendesk.com");

pack.setUserAuthentication({
  type: coda.AuthenticationType.Custom,

This file has been truncated. show original

This pattern does require that the API is OK with new tokens being generated often, as there is no way to persist the tokens between executions.

Pauline_Daniel · December 11, 2024, 5:07pm

I was able to fetch the token, but like you said the actual API call fails because the Authorization header that I add manually gets removed

Pauline_Daniel · December 11, 2024, 5:25pm

So I came up with a workaround. I split the code into 2 packs. One with authentication to fetch the token and a formula that returns the fetched token. The other without authentication but having the formula take the token as a parameter and manually adding the Authorization header. That seems to work… but then I guess that is a security issue because anyone could access the token

Pauline_Daniel · December 11, 2024, 6:41pm

Would it be possible to use custom authentication?

Eric_Koleda · December 11, 2024, 8:21pm

Unfortunately Custom authentication wouldn’t work since the Authorization: Basic header value needs to be base64 encoded. Custom auth doesn’t provide you the raw credentials, but rather placeholders that Coda replaces with the credentials as the request is sent. If you encode those placeholders the replacement logic won’t work, and the base64 value will be incorrect.

Topic		Replies	Views
How to do AuthenticationType.OAuth2 but slightly different? Making Packs	3	530	December 13, 2021
Making OAUTH call to API	3	297	February 6, 2024
Two new types of authentication supported in the Pack SDK Making Packs	0	330	December 6, 2023
Pack - Custom Authentication for API Making Packs	6	255	March 22, 2024
OAuth works within docs, but not CLI Making Packs	4	544	July 6, 2023

OAuth2ClientCredentials authentication error

Related topics