Reputation: 1459
Not Getting a refresh_token
This is in continuation with my other question.
I had to finally get the user in question the admin role and then I created a new application registration at https://apps.dev.microsoft.com/
The application was granted admin consent by hitting https://login.microsoftonline.com/common/adminconsent?.. endpoint with the required parameters.
Everything works fine and I was even able to create the outlook mail subscription for this user.
The issue though is, the endpoint https://login.microsoftonline.com/common/oauth2/v2.0/token is not giving me the refresh_token. I tried including the offline_access (reference - http://massivescale.com/microsoft-v2-endpoint-primer/) in the scope for getting the authorization code, but got the following error -
AADSTS65001: The user or administrator has not consented to use the application.
So the situation is like this -
If I use v1.0 endpoint, I get both access and refresh token but hitting the endpoint
https://outlook.office.com/api/v2.0/Users('[email protected]')/subscriptionssends back a
401 Unauthorized. I understand that the endpoint targets v2.0 but I didn't find one for v1.0.However, If I use v2.0 endpoint, I am able to create the subscription but only get the access token which is shortly lived and this creates a need for going through this whole process again which I don't want.
Upvotes: 2
Views: 3113
Answers (1)
Reputation: 3237
As a commenter indicated, you've registered an Azure AD v2.0 application, and are calling the Azure AD v1.0 endpoints. This isn't strictly the problem you're facing, but I recommend reconfiguring your auth endpoints to be for v2.0.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
I think the issue you may be running into is not configuring static permissions before calling the admin consent endpoint. One of the new features of Azure AD v2.0 is dynamic consent & scopes that allow you to ask for new permissions when requesting them; however, for admin consent you must configure these as static permissions.
You can configure static permissions in Azure AD v2.0 inside the App Reg Portal through the UI below:
Then try hitting the admin consent endpoint again, and finally re-requesting the refresh token with the offline_access scope.
Upvotes: 3
Related Questions
- Microsoft Graph API not returning refresh token
- Not getting a refresh token https://login.microsoftonline.com/common/oauth2/v2.0/token
- Failure to generate access token using refresh token for O365 API
- How do I get refresh token from microsoft graph
- Microsoft Graph API - not receiving refresh token
- Refresh token endpoint not working correctly - AADSTS90033
- Microsoft Azure Refresh Token Expires after 90 days
- "One or more scopes are not compatible with each other" error when retrieving access token for the
- 401 unauthorized outlook.office.com api Azure AD v2 authentication endpoint
- Receiving access token but not the refresh token from Microsoft Graph API