This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 46%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
The ADF Data Factory Xero connector runs successfully as a linked service for approx. 30 minutes, but then starts failing.
I am using the OAuth 2.0. config, and suspect it is to do with the refreshing of the token. Has anyone successfully used the ADF Xero connector with OAuth 2? If so, can you please provide some instruction on how?
I have followed the instructions at Xero for configuring OAuth 2 (links below), can confirm offline_access is scoped, and am obtaining the refresh token initially via Postman. I can also confirm that I am following the guidance at MS Docs (link below also).
Of particular interest is the statement at the MS Docs ADF Xero Connector page:
"
refreshToken | The OAuth 2.0 refresh token associated with the Xero application, used to refresh the access token when access token expires. Applicable for OAuth 2.0 authentication. Learn how to get the refresh token from this article.Refresh token will never expired. To get a refresh token, you must request the offline_access scope.Mark this field as a SecureString to store it securely in Data Factory, or reference a secret stored in Azure Key Vault.
"
The statement "Refresh token will never expired" appears to be incorrect, and at 30 minutes my token can no longer be utilised.
Example error is as follows:
{
"errorCode": "2200",
"message": "ErrorCode=UserErrorFailedToConnectOdbcSource,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=ERROR [HY000] [Microsoft][Xero] (61) API Connection Failed. Bad Request. HTTP Response code: 400\r\nERROR [HY000] [Microsoft][Xero] (61) API Connection Failed. Bad Request. HTTP Response code: 400,Source=Microsoft.DataTransfer.Runtime.GenericOdbcConnectors,''Type=System.Data.Odbc.OdbcException,Message=ERROR [HY000] [Microsoft][Xero] (61) API Connection Failed. Bad Request. HTTP Response code: 400\r\nERROR [HY000] [Microsoft][Xero] (61) API Connection Failed. Bad Request. HTTP Response code: 400,Source=,'",
"failureType": "UserError",
"target": "Copy Xero Projects",
"details": []
Xero OAuth 2.0: https://developer.xero.com/documentation/oauth2/auth-flow#:~:text=Refreshing%20access%20tokens&text=Your%20app%20can%20refresh%20an,during%20the%20initial%20user%20authorization.&text=Each%20time%20you%20perform%20a,token%20returned%20in%20the%20response.
Data Factory Xero Connector: https://learn.microsoft.com/en-us/azure/data-factory/connector-xero
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 9%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Hi @Sebastian ,
Welcome to Microsoft Q&A forum and sorry for your experience with ADF Xero connector.
As per my initial research, looks like an issue with driver which results in this behavior. I am reaching out to internal team to get more info about this and will keep you posted as soon as I have an update.
We appreciate your patience and thank you bringing this to our notice.
I have also noticed that you have opened a document feedback item as well. We have shared this with ADF team to enhance the document with necessary information.
Just sharing the GitHub issue here for reference: https://github.com/MicrosoftDocs/azure-docs/issues/63464
Thank you.
Hi @Sebastian ,
Just wanted to update you that we are still working with appropriate team to update the documentation accordingly to reflect this limitation with Xero connector.
Sorry the inconvenience and we appreciate your patience.
Thank you
Thanks @KranthiPakala-MSFT .
As an FYI, I have a better understanding now of the issue. Essentially, the Refresh Token issued by Xero does expire 30 minutes after it is used for the first time (new Refresh Tokens are issued with subsequent requests), which the Xero connector doesn't seem to handle. So the Xero connector needs to be able to update the refresh token it has saved when subsequent requests are made, and persist this until the next OAuth challenge, then update it again.
I have been able to work around this issue by leveraging Oauth token generation + REST call, and reading/writing the refresh token via an Azure Logic App. Will share more about this pattern when I have ironed out some kinks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello @KranthiPakala-MSFT
I am running into the same issue. Is this a bug or just a limitation of the the connector?
Kind regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 86%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
I've found a workaround:
thanks katy
Hi Katy
I am having the same issue. Would you mind providing some more information on your workaround please?
Kind regards
Of course. I'm a bit blown away that I got it to work!
My pipeline looks like this. My refresh key is stored as a secret in a key vault.
The authenticate step uses https://identity.xero.com/connect/token to get the refresh token for the next authenticate.
My extract calls the Xero connector
I got the first refresh token from a script that a colleague had used elsewhere.
The general principle is:
Authentication needs an authentication and refresh token, and gets the refresh key for the next extract
The extract needs the Consumer key , The private key, the tenant and a refresh token.
I can explain which token goes where if you need me to
Hi @Katy Nelson
Thank you so much, this really helps! I was looking at building an Azure Function to do it
Thanks again!
Kind regards
Strangely I can't see your comment but I was notified that you had posted about running the pipeline every 30 minutes.
The oauth2 model is complicated. It's messy outside of Azure too.
Our pipeline runs daily. our extract process takes under 30 minutes.
In the 'real world' (outside Azure) if your extract takes over 30 minutes you need to reauthenticate and get a new refresh token. I'm not sure how Azure handles this (because we are nowhere near this limit). Provided you always use the LAST refresh key, it stays active for over a week. (I went on holiday)
do come back to me if you need to.
katy
Hi @Katy Nelson
Thank you very much.
Think I should maybe try and explain what I am trying to do:
I did the initial auth in postman and got the keys setup and wanted to copy that into the KeyVault to get started, this way the pipeline only has to do the refresh (I might be missing something)
So I am getting stuck at step 2: I can't get it to post. It looks like the body only supports JSON, but I thought Xero requires FormData.
I might be missing something obvious, I am very new to this :D
Kind regards
So I found my mistake: I was trying to post the body of the request as JSON.
This post helped me specifically with the issue if anyone else is also running into this issue: https://www.alexvolok.com/2019/adfv2-rest-api-part1-oauth2/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 10%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
I spent all weekend trying to reproduce what you have done @Katy Nelson and @Anonymous and failed, you are smarter than me! After half a day I got your WebGetRefreshKey working by following it with a Set variable action.
Here is what I had in the WebGetRefreshKey fields for anyone else that is following:
URL: <secret identifier url found in key vault secret>?api-version=7.0
Method: GET
Headers: none used
Authentication: MSI
Resource: https://vault.azure.net
I set the local variable using Set Variable
Name: The name of your local variable
Value: activity('WebGetRefreshKey').output
@Katy Nelson or @Anonymous , I would be super appreciative if you could post what you have in the fields for the WebPostRefreshKey and ExtXeroInvoices. I have the later one working if I manually cut and paste the refresh key in, can you post how you use the variable within it (or the direct output of WebGetRefreshKey if that's what you use).
Many thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 41%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hi Katy, do you know if there is a tutorial on how to achieve this setup in Azure Data Factory? I am very new to this integration setup and struggling to get it right.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 60%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi Katy,
Sorry to drag this out of the depths of the internet, but I'm currently trying to achieve the same outcome as you, though I am running in to issues around the required format for the Authorization header.
Are you able to share with us the format of the web activity itself? Obviously blank out any sensitive information, but I'd love to validate what you got to work vs what I have now.
Thanks in advance!
Mark
Hi Jason,
Did you manage to make any progress? I'm struggling with the exact syntax for the 'RefreshToken' portion - that is, the specific header/body formatting.
Hi Mark,
I did not win. I managed to get a pipeline going with Xero's custom connection but its only available for Xero users based in UK, Australia, NZ (https://developer.xero.com/documentation/guides/oauth2/custom-connections/#purchasing-custom-connection-subscriptions).
Very sad that they won't roll it out to other countries as it makes things very simple.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 46%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Thank you so much for this Katy! Helped me heaps!
I'm still stuck on updating key vault with the new refresh token. what API call should i use to update key vault secret? Googling isn't helping me much :(.
Hiya,
Of course.
URL :https://<VAULTNAME>.vault.azure.net/secrets/<SecretName>?api-version=7.0
PUT
Body:@markus.bohland@hotmail.de ('{
"value":"', activity('WebXeroAuthenticate_Accounts').output.refresh_token,
'"}')
WebXeroAuthenticate_Accounts is the step before where I authenticate.
Does that make sense?
Hiya, Sorry I missed your comment. Are you still struggling?
My authorization Header looks like this:
@markus.bohland@hotmail.de ('Basic ', base64('<Client_ID>:<Client_Secret>'))
Hey Katy,
Thanks for your reply!
I managed to get this up and running a few months ago. I needed a 'Custom Connection' in Xero, otherwise I wasn't able to have Data Factory perform the access token refresh.
With a 'Custom Connection', you only need to grab a new refresh token, which can be fully automated through GET calls to Xero and then POST to Key Vault.
All in all an excellent learning process, if nothing else...
Hi @Anonymous , I can confirm this approach works. Thanks @Katy Nelson for the push in the right direction.
Zandre, getting the refresh token via Postman was pretty straight forward (https://developer.xero.com/documentation/tools/postman).
Hi @Sebastian
Yes I have been using Postman to refresh my tokens manually every time I needed the pipeline to run.
Thanks for the pointers, really appreciate it!
Kind regards
Now I'm in awe of you, I could NOT get this to work AT ALL!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 59%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Hi @Katy Nelson
Thanks for this post, I have run into the same problem, your response has got me a long way. I have a question about the step in your pipeline, WebPostRefreshKey. Are you saving the new refresh token back into the Azure Key Vault, it does not seem to be an option to update an existing value, only to create a new version. Can you please expand on what is being done in this web component?
Many thanks for your help
Regards
Alan
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 59%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Hey Alan,
I'm not Katy, but hope this help mate. That's right, you can only create a new version, but on the pipeline you can set your web call to only read the latest version of keyVault secret. It does mean you can end-up with a bunch of versions of the keyVault secret.
Cheers
Thanks @maha kepakisan that confirms my thinking. I will progress with that in mind.
Cheers