I'm having really hard time to understand what's going on. My is my SPA keeps getting refresh_token even I don't request it and permissions on Azure has no offline_access.
What can I do to NOT get refresh_token?
https://login.microsoftonline.com/........./oauth2/v2.0/authorize?client_id=........&redirect_uri=........&response_type=code&scope=openid%20profile%20email%20User.Read&state=......&code_challenge=........&code_challenge_method=S256&response_mode=query
It is a known issue when using azure ad v2.0 endpoint, related post here .
Also mentioned in offline_access
:
This permission currently appears on all consent pages, even for flows that don't provide a refresh token (such as the implicit flow). This setup addresses scenarios where a client can begin within the implicit flow and then move to the code flow where a refresh token is expected.
But this does not affect that you don't want to get the refresh token, what you used is the auth code flow v2.0 , just don't include the offline_access
when requesting the token , then the refresh token will not be returned.
Or if you really don't what the app let you consent this permission, just use the auth code flow v1.0 , then if you don't include offline_access
when you request the code
, it will not let you consent the offline_access
permission.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.