Azure AD provides refresh_token even I don't request and permissions does not have offline_access
Question
I'm having really hard time to understand what's going on. My is my SPA keeps getting refresh_token even I don't request it and permissions on Azure has no offline_access.
What can I do to NOT get refresh_token?
My request URL (notice no offline_access is requested)
https://login.microsoftonline.com/........./oauth2/v2.0/authorize?client_id=........&redirect_uri=........&response_type=code&scope=openid%20profile%20email%20User.Read&state=......&code_challenge=........&code_challenge_method=S256&response_mode=query
Permissions on Azure (no offline_access)
Consent screen (ask user to give offline access permission)
Result, I've refresh_token, not a good idea having refresh token on client.
1 answers
solution1
1 ACCPTED 2021-03-08 04:15:43
It is a known issue when using azure ad v2.0 endpoint, related post here .
Also mentioned in offline_access :
This permission currently appears on all consent pages, even for flows that don't provide a refresh token (such as the implicit flow). This setup addresses scenarios where a client can begin within the implicit flow and then move to the code flow where a refresh token is expected.
But this does not affect that you don't want to get the refresh token, what you used is the auth code flow v2.0 , just don't include the offline_access when requesting the token , then the refresh token will not be returned.
Or if you really don't what the app let you consent this permission, just use the auth code flow v1.0 , then if you don't include offline_access when you request the code , it will not let you consent the offline_access permission.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.