trycompai · tofikwest · Jun 3, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 2, 2026
diff --git a/apps/api/src/cloud-security/azure-remediation.service.ts b/apps/api/src/cloud-security/azure-remediation.service.ts
@@ -643,9 +643,12 @@ export class AzureRemediationService {
           connectionId,
           {
             tokenUrl: oauthConfig.tokenUrl,
+            refreshUrl: oauthConfig.refreshUrl,
             clientId: oauthCreds.clientId,
             clientSecret: oauthCreds.clientSecret,
             clientAuthMethod: oauthConfig.clientAuthMethod,
+            scope: oauthCreds.scopes.join(' '),
+            tokenParams: oauthConfig.tokenParams,
           },
         );
         if (token) return token;

diff --git a/apps/api/src/cloud-security/cloud-security.service.ts b/apps/api/src/cloud-security/cloud-security.service.ts
@@ -113,9 +113,12 @@ export class CloudSecurityService {
         const accessToken =
           await this.credentialVaultService.getValidAccessToken(connectionId, {
             tokenUrl: oauthConfig.tokenUrl,
+            refreshUrl: oauthConfig.refreshUrl,
             clientId: oauthCreds.clientId,
             clientSecret: oauthCreds.clientSecret,
             clientAuthMethod: oauthConfig.clientAuthMethod,
+            scope: oauthCreds.scopes.join(' '),
+            tokenParams: oauthConfig.tokenParams,
           });
 
         if (!accessToken) {

diff --git a/apps/api/src/cloud-security/gcp-remediation.service.ts b/apps/api/src/cloud-security/gcp-remediation.service.ts
@@ -677,9 +677,12 @@ export class GcpRemediationService {
           connectionId,
           {
             tokenUrl: oauthConfig.tokenUrl,
+            refreshUrl: oauthConfig.refreshUrl,
             clientId: oauthCreds.clientId,
             clientSecret: oauthCreds.clientSecret,
             clientAuthMethod: oauthConfig.clientAuthMethod,
+            scope: oauthCreds.scopes.join(' '),
+            tokenParams: oauthConfig.tokenParams,
           },
         );
         if (token) return token;

diff --git a/apps/api/src/integration-platform/controllers/checks.controller.ts b/apps/api/src/integration-platform/controllers/checks.controller.ts
@@ -30,9 +30,10 @@ import {
 import { ConnectionRepository } from '../repositories/connection.repository';
 import { ConnectionService } from '../services/connection.service';
 import { CredentialVaultService } from '../services/credential-vault.service';
+import { OAuthCredentialsService } from '../services/oauth-credentials.service';
 import { ProviderRepository } from '../repositories/provider.repository';
 import { CheckRunRepository } from '../repositories/check-run.repository';
-import { getStringValue, toStringCredentials } from '../utils/credential-utils';
+import { getStringValue } from '../utils/credential-utils';
 
 // Class (not interface) so @nestjs/swagger emits a body schema, plus a
 // class-validator decorator so the ValidationPipe whitelist accepts the field.
@@ -67,6 +68,7 @@ export class ChecksController {
     private readonly connectionRepository: ConnectionRepository,
     private readonly providerRepository: ProviderRepository,
     private readonly credentialVaultService: CredentialVaultService,
+    private readonly oauthCredentialsService: OAuthCredentialsService,
     private readonly checkRunRepository: CheckRunRepository,
     private readonly connectionService: ConnectionService,
   ) {}
@@ -247,6 +249,48 @@ export class ChecksController {
       `Running checks for connection ${connectionId} (${provider.slug})${body.checkId ? ` - check: ${body.checkId}` : ''}`,
     );
 
+    let accessToken = getStringValue(credentials.access_token);
+    let onTokenRefresh: (() => Promise<string | null>) | undefined;
+    if (manifest.auth.type === 'oauth2') {
+      const oauthConfig = manifest.auth.config;
+      const supportsRefresh = oauthConfig.supportsRefreshToken !== false;
+
+      if (supportsRefresh) {
+        const oauthCredentials =
+          await this.oauthCredentialsService.getCredentials(
+            provider.slug,
+            organizationId,
+          );
+
+        if (oauthCredentials) {
+          const refreshConfig = {
+            tokenUrl: oauthConfig.tokenUrl,
+            refreshUrl: oauthConfig.refreshUrl,
+            clientId: oauthCredentials.clientId,
+            clientSecret: oauthCredentials.clientSecret,
+            clientAuthMethod: oauthConfig.clientAuthMethod,
+            scope: oauthCredentials.scopes.join(' '),
+            tokenParams: oauthConfig.tokenParams,
+          };
+
+          const validAccessToken =
+            await this.credentialVaultService.getValidAccessToken(
+              connectionId,
+              refreshConfig,
+            );
+          if (validAccessToken) {
+            accessToken = validAccessToken;
+          }
+
+          onTokenRefresh = () =>
+            this.credentialVaultService.refreshOAuthTokens(
+              connectionId,
+              refreshConfig,
+            );
+        }
+      }
+    }
+
     // Create a check run record
     const checkRun = await this.checkRunRepository.create({
       connectionId,
@@ -256,16 +300,18 @@ export class ChecksController {
 
     try {
       // Run checks
-      const accessToken = getStringValue(credentials.access_token);
-      const stringCredentials = toStringCredentials(credentials);
       const result = await runAllChecks({
         manifest,
         accessToken,
-        credentials: stringCredentials,
+        // Pass decrypted credentials through unchanged. Collapsing array fields
+        // here (e.g. AWS `regions`) made custom-auth checks see no regions and
+        // skip with "connection not configured".
+        credentials,
         variables,
         connectionId,
         organizationId: connection.organizationId,
         checkId: body.checkId,
+        onTokenRefresh,
         logger: {
           info: (msg, data) => this.logger.log(msg, data),
           warn: (msg, data) => this.logger.warn(msg, data),