Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

No refresh token in acquireTokenOnBehalfOf response

See original GitHub issue

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

1.12.1

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Confidential

Description

I’m working on a Teams app and integrating Graph API into some of the server side operations.

I first use the Teams SDK to request a token with the required scopes on the app client with an explicit consent dialog.

I then serve that token to the server side and use the MSAL Node OBO exchange acquireTokenOnBehalfOf to get the relevant Graph API token and then encrypt and store in the DB. I noticed that these token have an expiry of 1 hour, and I don’t get a refresh token to renew them.

This is a problem because acquiring Graph API related scopes using the Teams SDK requires an explicit consent dialog, and I can’t display that to my users every 24 hours.

MSAL Configuration

No response

Relevant Code Snippets

No response

Identity Provider

Azure AD / MSA

Source

External (Customer)

Issue Analytics

State:
Created a year ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

bgavrilMScommented, Sep 6, 2022

OBO flow is for web APIs, so it expected that there is no UI / invisible iframe or anything like that. See token caching https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/caching.md - it shows how to persist the “whole” cache. If you don’t persist it, MSAL will store it in memory.

MSAL js does not have documentation around distributed token caching yet, which I think is what you’d want here.

Recommendation for a service at scale would be to not rely on token caching right now for OBO. Just cache the access token if you need to make multiple calls to Graph API. If the token is close to expiry or does not exist, invoke acquireTokenOnBehalfOf [again].

1reaction

bgavrilMScommented, Sep 6, 2022

CC @Robbie-Microsoft as FYI

Top Results From Across the Web

How to get refresh token in MSAL .Net C# - Stack Overflow

NET does not expose refresh tokens, for security reasons: MSAL handles refreshing tokens for you with token cache.

Understanding Refresh Tokens - Auth0

Some of the reasons a refresh token may no longer be valid include: the authorization server has revoked the refresh token; the user...

[Bug] OBO token is not refreshed when it has expired #2558

Currently I am updating the user object with the new access token which I get from the AcquireTokenOnBehalfOf call.

Acquire and cache tokens with Microsoft Authentication ...

This data allows your app to do intelligent caching of access tokens without having to parse the access token itself. The authentication result ......

Solved: Refresh token not returning in Authentication with...

There are no errors and the response is exactly as is document here in the example response only there is no refresh_token key...