fix(oauth): persist rotated Microsoft refresh tokens

waleedlatif1 · waleedlatif1 · commit 7eded6c4c292 · 2026-05-11T09:44:37.000-07:00
Microsoft Entra rotates refresh tokens on every refresh and expects clients to replace the stored token with the new one. The Microsoft provider config was missing supportsRefreshTokenRotation, so the rotated refresh_token returned by Azure AD was silently discarded and the original token from initial OAuth connect was reused indefinitely — causing periodic 'Failed to refresh access token' errors for Excel, Teams, Outlook, OneDrive, SharePoint, Planner, AD, and Dataverse integrations.
diff --git a/apps/sim/lib/oauth/oauth.test.ts b/apps/sim/lib/oauth/oauth.test.ts
@@ -389,6 +389,36 @@ describe('OAuth Token Refresh', () => {
       })
     })
 
+    it.concurrent(
+      'should rotate refresh token for Microsoft providers (microsoft, outlook, onedrive, sharepoint)',
+      async () => {
+        const microsoftProviders = ['microsoft', 'outlook', 'onedrive', 'sharepoint']
+        const oldRefreshToken = 'old_microsoft_refresh_token'
+        const rotatedRefreshToken = 'rotated_microsoft_refresh_token'
+
+        for (const providerId of microsoftProviders) {
+          const mockFetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: async () => ({
+              access_token: 'new_access_token',
+              expires_in: 3600,
+              refresh_token: rotatedRefreshToken,
+            }),
+          })
+
+          const result = await withMockFetch(mockFetch, () =>
+            refreshOAuthToken(providerId, oldRefreshToken)
+          )
+
+          expect(result).toEqual({
+            accessToken: 'new_access_token',
+            expiresIn: 3600,
+            refreshToken: rotatedRefreshToken,
+          })
+        }
+      }
+    )
+
     it.concurrent('should use original refresh token when new one is not provided', async () => {
       const refreshToken = 'original_refresh_token'
 
diff --git a/apps/sim/lib/oauth/oauth.ts b/apps/sim/lib/oauth/oauth.ts
@@ -1163,6 +1163,7 @@ function getProviderAuthConfig(provider: string): ProviderAuthConfig {
         clientId,
         clientSecret,
         useBasicAuth: false,
+        supportsRefreshTokenRotation: true,
       }
     }
     case 'linear': {

Original file line number	Diff line number	Diff line change
`@@ -1163,6 +1163,7 @@ function getProviderAuthConfig(provider: string): ProviderAuthConfig {`
`1163`	`1163`	`clientId,`
`1164`	`1164`	`clientSecret,`
`1165`	`1165`	`useBasicAuth: false,`
	`1166`	`+ supportsRefreshTokenRotation: true,`
`1166`	`1167`	`}`
`1167`	`1168`	`}`
`1168`	`1169`	`case 'linear': {`