Azure AD Adal4j Token recieved after refresh token is not signed JWT

Question

I am developing an authentication service for my web based java application using Azure AD OpenID connect framework. I am referring to adal4j-1.2.0.jar The authentication is happening as per the behavior. I am getting the JWT claims and able to validate it.

But when 60 mins of session timeout occurs and I am trying to get new token claims using refresh token, the new tokens are not Signed JWT. They are Plain JWT.

I am using below call to acquire token using my initial refresh token which I am caching.

acquireTokenByRrefreshToken(refreshtoken, credential,null,null)

For validation of token, I am using the code as below

IDtokenValidator validator =  new IDTokenValidator(issuer,clientID, JWSAlgo,URL)
validator.validate(idToken, exoectedNoounce); //this line throws badjwtexception signed ID token expected

Can anyone help me to understand how can I redeem the refresh token to get new Signed tokens. Or after redeeming the token, the new tokens are always Plain JWT.

Answer 1

You could refer to the official doc to acquire access token and refresh token by code grant flow.

Actually,methods in adal4j are implemented via HTTP REST API so that you could refer to the code below to request AuthorizationCode.

public static void getAuthorizationCode() throws IOException {

        String encoding = "UTF-8";
        String params = "client_id=" + clientId 
                + "&response_type=" + reponseType
                + "&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F"
                + "&response_mode=query"
                + "&resource=https%3A%2F%2Fgraph.windows.net"
                + "&state=12345";
        String path = "https://login.microsoftonline.com/" + tenantId + "/oauth2/authorize";
        byte[] data = params.getBytes(encoding);
        URL url = new URL(path);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(data.length));
        conn.setConnectTimeout(5 * 1000);
        OutputStream outStream = conn.getOutputStream();
        outStream.write(data);
        outStream.flush();
        outStream.close();
        System.out.println(conn.getResponseCode());
        System.out.println(conn.getResponseMessage());

        BufferedReader br = null;
        if (conn.getResponseCode() != 200) {
            br = new BufferedReader(new InputStreamReader((conn.getErrorStream())));
        } else {
            br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
        }
        System.out.println("Response body : " + br.readLine());
    }

Then you could get access token using the AuthorizationCode you got and get refresh code using the code below.

public static void getToken(String refreshToken) throws IOException {

        String encoding = "UTF-8";
        String params = "client_id=" + clientId + "&refresh_token=" + refreshToken
                + "&grant_type=refresh_token&resource=https%3A%2F%2Fgraph.windows.net";
        String path = "https://login.microsoftonline.com/" + tenantId + "/oauth2/token";
        byte[] data = params.getBytes(encoding);
        URL url = new URL(path);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(data.length));
        conn.setConnectTimeout(5 * 1000);
        OutputStream outStream = conn.getOutputStream();
        outStream.write(data);
        outStream.flush();
        outStream.close();
        System.out.println(conn.getResponseCode());
        System.out.println(conn.getResponseMessage());

        BufferedReader br = null;
        if (conn.getResponseCode() != 200) {
            br = new BufferedReader(new InputStreamReader((conn.getErrorStream())));
        } else {
            br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
        }
        System.out.println("Response body : " + br.readLine());
    }

Hope it helps you.

Answer 2

I believe ,you are using implicit grant flow to get token.You are getting token from authorization end point.In this flow ,you will not get refresh token.Either you need to get new token after session expire or create a hidden frame which can get token before session expire.