Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Are there any plans to expose the refresh_token for confidential client authorization_code grant flows?

See original GitHub issue

Core Library

MSAL Node (@azure/msal-node)

Wrapper Library

Not Applicable

Description

We are currently migrating from the AAD V1 endpoint to the Identity V2 endpoint using MSAL Node. We just noticed that the confidential client acquireTokenByCode method does not return the refresh_token in the result. This becomes an issue for us since we have multiple instances of our service running on different machines which will have a different cache. Hence when we attempt to acquire a token silently it’s not guaranteed that we will use the cached refresh token and potentially prompt the user to re-authenticate.

I read on the FAQ that in fact it is not exposed.

Is there anything we can do to avoid multiple authentication requests for our end users? Can we have the refresh_token exposed? We would love to use the MSAL-Node library instead of the Identity V2 Rest APIs directly.

Source

Internal (Microsoft)

Issue Analytics

State:
Created a year ago
Comments:8 (2 by maintainers)

Top GitHub Comments

1reaction

derisencommented, Aug 1, 2022

This is supported as of msal-node@1.12.0 (msal-common@7.2.0). @r-delgadillo you’ll need to set the forceCache property to true in the initial token request, e.g.:

 const tokenResponse = await cca.acquireTokenByRefreshToken({
    refreshToken: "raw-refresh-token-string",
    scopes: ['https://graph.microsoft.com/.default'],
    forceCache: true,
});

Please see the refresh-token sample for an illustration.

1reaction

derisencommented, Jun 7, 2022

So if you are using a cache plugin to persist the cache, you could access the refresh token entry there. The cache template looks like this. But if you were to read it from in-memory cache, you could access it via getTokenCache:

const cache = confidentialClientApplication.getTokenCache();
const kvStore = cache.getKVStore();

Then query kvStore for that user’s refresh tokens using the scheme <homeAccountId-authority-refreshtoken-clientId> as key.

@sameerag to consider offering a convenience method.

Top Results From Across the Web

Authorization Code Flow - Auth0

Your Auth0 Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token). Your application can use the Access...

OAuth 2.0 implicit grant flow - The Microsoft identity platform

Try executing this request and more in Postman -- don't forget to replace tokens and IDs! Prefer the auth code flow. With the...

RFC 6749: The OAuth 2.0 Authorization Framework

Misuse of Access Token to Impersonate Resource Owner in Implicit Flow . ... (B) The client receives an authorization grant, which is a...

OAuth 2.0 Authorization Code Grant Flow

The client secret is never exposed publicly, which protects confidential clients. Authorization ... "To Exchange an Authorization Code for an Access Token".

OAuth 2.0 and OpenID Connect Overview - Okta Developer

Examples of grants are authorization code and client credentials. Each OAuth grant has a corresponding flow. See Choosing an OAuth 2.0 flow. access...