Symptoms
Custom Connector connections fail because of authentication failures. When this problem occurs, you receive the following error message:
Alert: Your <ConnectionName> connection isn't working
Cause
One or more incorrect URLs were set during the Custom Connection creation.
Resolution
Before you try to configure a Custom Connector, all actions should be verified outside of Power Automate by using a tool such as Postman.
Each of the following steps should be successfully completed in a tool such as Postman before you configure the Custom Connector:
-
Call the OAUTH token retrieval endpoint.
-
Call the API action by using the returned token.
-
Call the OAUTH token refresh endpoint after the token expires.
-
Call the API action by using the new, refreshed token.
Notice that only Authorization Code Grant flows and On-Behalf-Of flows support refresh tokens. (For more information, see this Microsoft Graph: Developer Blog article.) Implicit grants and client credentials grants do not support refresh tokens. Therefore, you cannot use these grants to authenticate Custom Connectors.
Test generating OAUTH tokens by using Postman
Postman lets you easily perform the testing of an endpoint that's authenticated by OAUTH2. In order to perform this testing, you must have the following information about or configurations done on the endpoint:
-
Get the Microsoft Azure Tenant ID. The tenant ID is shown on the Azure Active Directory (Azure AD) blade, and is found on the Properties tab.
-
Get the Application (Client) ID. This is also available on the Azure AD blade, and is found on the App Registrations tab.
The next screen appears as follows.
-
Make sure that https://oauth.pstmn.io/v1/callback is a valid callback URI for the application.
-
Record the scopes for which your application must authenticate.
Note: Some third-party authentication providers require that additional scopes be provided to function fully with Power Automate and Power Apps. This includes such features as offline authentication (required for related connections to automatically refresh the Custom Connector token). These additional scopes lie outside the Microsoft scope of information. For more information, refer to the authentication provider's documentation.
Create a collection, and get a new access token
In Postman, create a collection. On the Authorization tab, specify the following values:
-
Type: OAuth 2.0
-
Header Prefix: Bearer
-
Token Name: <user choice>
-
Grant Type: Authorization Code
-
Callback URL: Select "Authorize using browser" next to this option. Notice that the URL itself may not be edited.
-
Auth URL: https://login.microsoftonline.com/<your Tenant ID>/oauth2/v2.0/authorize
-
Access Token URL: https://login.microsoftonline.com/<your Tenant ID>/oauth2/v2.0/authorize
-
Client ID: <your Application ID>
-
Client Secret: (optional, leave blank)
-
Scope: (enter scopes separated by spaces)
-
State: <optional, leave blank>
-
Client Authentication: Send client credentials in body.
When you select Get New Access Token at the bottom of this dialog box, you are taken to a browser to authenticate to Azure AD, then automatically returned to Postman. If you see Access Token and Refresh Token entries in the resulting dialog box, this means that you have successfully configured the URLs and can proceed to create your Custom Connector.
Define OAUTH settings for Custom Connector
Now that all the information is verified, it can be populated in the Custom Connector Authorization section, as follows.
Outside resources
The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
