Reputation: 357
How to get refershTokens from Azure AD using implicit grant flow with adal.js
Currently, the implicit grant flow URL to get access tokens from Azure AD by our SPA (native web app running in Azure VM) is of the format:
https://login.microsoftonline.com/{{tenantID}}/oauth2/authorize?response_type={{responseParams}}&client_id={{applicationID}}&redirect_uri={{redirectUri}}
Here, responseParams= id_token is the default value passed by Adal.js. What would be the changes needed to be made to this URL to get back refresh tokens from Azure AD?
Upvotes: 1
Views: 662
Answers (1)
Reputation: 922
The implicit grant flow does not issue refresh tokens, mostly for security reasons. A refresh token isn’t as narrowly scoped as access tokens, granting far more power hence inflicting far more damage in case it is leaked out. In the implicit flow, tokens are delivered in the URL, hence the risk of interception is higher than in the authorization code grant.
However, a JavaScript application has another mechanism at its disposal for renewing access tokens without repeatedly prompting the user for credentials. The application can use a hidden iframe to perform new token requests against the authorization endpoint of Azure AD: as long as the browser still has an active session (read: has a session cookie) against the Azure AD domain, the authentication request can successfully occur without any need for user interaction.
This model grants the JavaScript application the ability to independently renew access tokens and even acquire new ones for a new API (provided that the user previously consented for them. This avoids the added burden of acquiring, maintaining, and protecting a high value artifact such as a refresh token. The artifact that makes the silent renewal possible, the Azure AD session cookie, is managed outside of the application. Another advantage of this approach is a user can sign out from Azure AD, using any of the applications signed into Azure AD, running in any of the browser tabs. This results in the deletion of the Azure AD session cookie, and the JavaScript application will automatically lose the ability to renew tokens for the signed out user.
Reference: Understanding the OAuth2 implicit grant flow in Azure Active Directory (AD)
Upvotes: 1
Related Questions
- Azure AD Oauth2 implicit grant multiple scopes
- promisify the acquireTokenWithClientCredentials function from adal-node
- Simple ADAL.js sample - Userlogin required
- ADAL.js - Obtaining Microsoft Graph Access Token with id_token
- ADAL JS Delegation Scopes
- Acquiring access token using AuthenticationContext of ADAL
- Acquire token silently using ADAL JS
- Azure AD Graph API Bearer Token with ADAL JS
- Group claims with Azure AD and OAuth2 implicit grant in ADAL JS
- does adal.js support Authorization Code Grant Flow?