无法从使用旧刷新令牌调用的授权类型refresh_token的azure AD获取新的刷新令牌

Question

I am using Azure Service management API and OAuth API for generating Access token. But while making the call for grant type "refresh_token", to refresh access token it returns new access token but that response does not has new refresh token. So I have to use old refresh token for refreshing access token. And the problem is after 5-6 hours, refreshing token returns error invalid_client(Error validating credentials. Invalid client secret is provided). In other cases like Office 365 app authentication via Azure AD it returns everything.

Is there is any specific parameter or header that I have to pass with the API call ?

Below is the screenshot of my code

Please help.

Thanks in advance

Answer 1

If you use the v2 endpoint scopes are requested dynamically and a refresh token must be requested using "offline_access" scope. This is much different than in the v1 model, where scopes are pre-registered with the app registration and a refresh token is always returned w/o explicit scope. If you're using v1 & you don't get refresh token, it might be due to restricted security policy about refresh tokens by your ADFS provider, which is not sending back a refresh token to the API calling the OAuth authentication and authorization.

This is security enhancement/block to disable your application not to hold a lifetime refresh token that can be lived forever (if refreshed).

So if you can use v2 endpoint - use offline_access scope. Otherwise check security policies with you ADFS provider.

I run into the same problem as you & gathered most of the information that helped to answer this question from here: https://stackoverflow.com/a/44813531/4446128 .