Reputation: 488
Microsoft Graph API not returning refresh token
I created an app on https://apps.dev.microsoft.com
with the following Application Permissions:
Calendars.Read (Admin Only) Calendars.ReadWrite (Admin Only) User.Read.All (Admin Only)
The following is the only flow that has worked for me to be able to subscribe to notifications of another user, on another tenant, as described here
Admin Consent
Admin consent was then successfully granted via this URL
https://login.microsoftonline.com/common/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth
Get access token
An access token was then obtained from
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
with headers
Content-Type=application/x-www-form-urlencoded
with {tenant} the value of tenant returned in the callback url,
and body with key-value pairs
grant_type=client_credentials
client_id=bbb35336-faee-4c10-84b4-34136634db41
client_secret=xxx
scope=https://graph.microsoft.com/.default
This returns an access token, but not a refresh token.
I think this might be because offline_access isn't requested.
How can I get a refresh token?
Upvotes: 14
Views: 6369
Answers (4)
Reputation: 141
I had the same issue. I had not used the offline_access scope in the authorization request.
GET /{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=https://graph.microsoft.com/.default offline_access
&state=12345
Upvotes: 2
Reputation: 33926
If you want to get the refresh_token which is a long-term token you can append the offline_access into your scopes.
Alternativally, you can also use the basic on scope as it cotains the offline_access.
Upvotes: 1
Reputation: 33094
You're partially correct, you will only receive a refresh_token if you request the offline_access scope and you are using the authorization_code grant flow.
Refresh tokens are not available when using the implicit grant and are unnecessary when using the client_credentials grant. When using client_credentials there isn't a user authenticated and therefore there isn't a need to "refresh" a token since you can simply request a new token when needed.
Upvotes: 22
Reputation: 488
A refresh_token isn't needed.
As long as the admin consent has not been revoked, a new access_token can be requested when needed.
Upvotes: 0
Related Questions
- MSAL.NET OBO refresh token problems
- Refresh Token with Microsoft Graph claims it is expired even when being used
- Not getting a refresh token https://login.microsoftonline.com/common/oauth2/v2.0/token
- To get refreshtoken, accesstoken in Microsoft Graph API
- Microsoft Graph API - not receiving refresh token
- microsoft_graph oAuth refresh error
- Microsoft graph api - no refresh_token
- Microsoft Graph APIs handling of oAuth2.0 refresh tokens
- Microsoft Graph API - cannot refresh access token
- Refresh auth token for MS Graph with C#