Reputation: 778
Azure AD / Microsoft Graph Tokens - What to use for a multi-client app
I need to be able to monitor a user's Hotmail or Outlook account in the offline mode via a backend. But the user can sign up and authorize the account access either from a web app e.g. Laravel or Lumen or from a Cordova mobile app or another SPA interface such as Angular. Basically, the app is configured on https://apps.dev.microsoft.com for an implicit flow.
Since the app requires a backend offline processing lets say few times a day - I will need a refresh token to renew the access_token. There are two ways to get consent from the Azure AD.
authorize = id_token + token (But the limitation is that id_token is only client specific). This approach is more suitable for fetching the emails when client is running and user is online.
authorize = code and then generate access_token and refresh_token.
Question - would option 2 work for both hotmail/outlook.com and O365? If the access and refresh tokens are generated by the client - would they work for both online and offline access of a user's account and email.
Upvotes: 0
Views: 409
Answers (1)
Reputation: 9411
Of course you can. But if you want to receieve a refresh token in token response, your app must request and be granted the offline_acesss scope.
The
offline_accessscope gives your app access to resources on behalf of the user for an extended time. On the work account consent page, this scope appears as the "Access your data anytime" permission. On the personal Microsoft account consent page, it appears as the "Access your info anytime" permission. When a user approves theoffline_accessscope, your app can receive refresh tokens from the v2.0 token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.
REQUEST EXAMPLE:
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345
Actually, if you use code grant flow to sign in AAD, you will see this Page:
If you click Yes, you will consent offline_access scope.NOTE: This works for both MSA and AAD Account.
You can see more details about offline_access sope in this documentation.
Upvotes: 3
Related Questions
- Azure Graph API - best way to onboard organizations (app registration and consent proces)
- How to Use Microsoft Graph in a Multi-Tenant environment?
- Multi Tenant Access to Microsoft Graph API's with single app registration?
- Managing Azure AAD Applications with Microsoft Graph
- Access Token for both Microsoft Graph and Custom API
- Multi Instance Apps and Azure Authentication Best Practices
- Azure AD Graph vs Microsoft Graph App Authorization Tokens
- Azure AD Multi tenant app
- Microsoft Graph API Multi tenant App-only auth scheme
- Azure Graph API: authorize application on multiple tenants