Refresh with Bearer Token in Azure AD

Question

I have a web application that passes a Bearer token to a Web API application. That application then queues up a report to be run. Depending on how long the queue is, it may take 10 seconds or more than an hour until that report starts processing. that report needs to access other REST resources that are also secured using Azure AD OAuth.

So the flow is

Web Client --- Bearer Token ---> Web API ---> Queue ---> Report Processor  ---> 
Token Acquired With Client Secret with UserAssertion ---> REST Data Source

Since the original Bearer token expires in 60 minutes, I need to be able to refresh the user's Bearer token at the actual time of report generation. Should I have the Web Client also pass along the actual Refresh Token when it requests to run a report?

Answer 1

Refresh tokens should not be sent anywhere outside of the normal refresh flows. I would recommend to use the incoming token as soon as you receive it to trigger an onbehalfof flow (which is what I assume you are referring to as the UserAssertion flow). That will get you a new access token for your backend AND a refresh token. The refresh token lasts 14 days: when you pick put the request from the queue, the refresh token will allow you to get new access token.

Using your notation, you would have

Web Client --- Bearer Token ---> Web API ---> Token Acquired With Client Secret with UserAssertion ---> Queue ---> Report Processor  ---> 
Token Acquired With refresh token grant ---> REST Data Source

If you can't do ANY processing upon receiving requests and before pushing in the queue, the alternative is using application permissions - that will allow you to get a token for your backend at any time.