An external service uses OAuth2 Authorization Code flow. This creates a unique session on the server per each login (consent)
A Power App uses a custom connector with OAuth2 Cod Authorization flow. Teams is corporate license integrated with AD. (Premium) The Power App connects to this external service but should only provide data for a specific (AD & external service) user. The connector, connection, PowerApp and API calls are working. (though currently fixed for a specific user that has an account on the external service).
1. Is it correct assumption that user that uses the Power App need to authenticate (login) on the external service via OAuth2 Auth Code and thus has their own access token or does the connector use the same token for multiple PowerApps users on the same Teams tenant ?
2. The connection can be shared with people in the organization. Does that mean all user will access the service using the same access token ? Or does every user have to provide consent (login) to the PowerApp to access their data on the external service (hopefully it is the later case since that is what is needed to trace back the user from the session)
Findings so far:
a. In the PowerApp development environment (edit/test app) PowerApps uses a different OAuth2 session than for running the App from the main menu.
b. using the same PowerApp with the same connector for the same (Teams and external service) user on the same computer and different client (browser), a new connection needs to be s created (consent) a.k.a "fix connection". Thus PowerApps seems not to persist connections per a PowerApp user only, but also something more, like the browser type. (FF, Chtome , etc..).
c. Using the same browser, the connection is reused (test > 20 hours). and the connection does not go through a token refresh request even the token is already expired by the provided expiration period at consent. Currently the external service accepts an expired token (as some clients require that) , Will try changing to an error to see if that works.
Hope someone can give home insights on connection/PowerApps token/session management.
Based on above behavior it is impossible to determine a session has become stale. This means the serivce may need to destroy the session if the token is expired, but that would cause a bit of nuiscance for users for having to reauthenticate if this period is set to very short (e.g 1 day). PowerApps should send a refresh if it found that the token it has was expired.
