When can MSAL refresh a token?

Question

According to this site , "AcquireTokenSilent is capable... of refreshing a token when it's getting close to expiration (as the token cache also contains a refresh token)" which is great, but what are the restrictions on when MSAL is allowed to refresh a token?

This stackoverflow question implies that sometimes the server sends a special refresh token, but when I call App.PCA.AcquireToken...() it returns an object of type AuthenticationResult which doesn't have any members named anything like Refresh (in our Xamarin/C# app) so it doesn't seem like there is actually a separate token only used to figure out refreshing?

Does AcquireTokenSilent() require Internet access? Does it always check in with the server?

Answer 1

AcquireTokenSilent will search an access token in the token cache for the current account. If it's not found it will throw an MsalUiRequiredException:

• If such an access token is found and it's not close to expiration, it will return this access token (part of the AuthenticationResult). This does not require an Internet access
• If such an access token is found but it's expired or close to expiration, AcquireTokenSilent will use the refresh token associated with the account in the token cache (and not surfaced through the API), and get a new access token and refresh token, store them in the cache, and return the access token. This scenario does require an Internet connection

There are subtle cases where, while refreshing the token, the Microsoft identity platform will decide that MFA is needed, or some kind of interaction, and in that case AcquireTokenSilent may also throw a MsalUiRequiredException. See https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-handling-exceptions#msaluirequiredexception for details