CODEWITHSUNDEEP
azureauthorizationaccess-tokenazure-ad-b2crefresh-token
Sergio Solorzano
Sergio Solorzano

Reputation: 665

Azure WebApp-WebAPI ->Grant Type authorization_code doesn't return RefreshToken

I've followed this post in relation to this example and made the additions to the portal and code as suggested:

Portal: Web API - Expose an API - Add Scope for "offline_access" (also tried with format "demo.offline_access"); Web App added "offline_access" permission

Code: Added offline_access to Start_Auth.cs, Global.cs and both Web.config files.

I make my request for accessToken and refreshToken as per documentation with:

var ClientID = "XXXX";
            var BaseURL = "https://XXX.b2clogin.com/XXX.onmicrosoft.com/oauth2/v2.0/token?p=B2C_1_signinsignoutpolicy";
            var ClientSecret = "XXX";
            string redirectUri = "https://XXX.azurewebsites.net/api/GetAccessToken";
            var content = new StringContent(
              "&grant_type=authorization_code"+
              "&client_id="+ClientID+
              "&scope=" + "https://XXX.onmicrosoft.com/api/demo.read https://XXX.onmicrosoft.com/api/demo.write https://XXX.onmicrosoft.com/api/offline_access" +
              "&code="+authCode+
              "&redirect_uri=" + redirectUri+
              "&client_secret=" + ClientSecret,
              Encoding.UTF8,
              "application/x-www-form-urlencoded");

            var response = await httpClient.PostAsync(BaseURL, content);
            var output = await response.Content.ReadAsStringAsync();

output returns access_token but no refresh token. When looking at the claims of the access_token, scope (scp) correctly shows offline_access demo.read demo.write

What am I missing to get refresh token?

[EDIT} Here's postman result: enter image description here JWT for access token received: enter image description here WebApp API Permissions: enter image description here WebAPI - Expose an API: enter image description here

Code changes: Both WebApp and WebAPI Web.config scopes:

<add key="api:ReadScope" value="demo.read" />
<add key="api:WriteScope" value="demo.write" />
<add key="api:OfflineScope" value="offline_access" />

TaskWebApp Globals.cs scope addition:

// API Scopes
    public static string ApiIdentifier = ConfigurationManager.AppSettings["api:ApiIdentifier"];
    public static string ReadTasksScope = ApiIdentifier + ConfigurationManager.AppSettings["api:ReadScope"];
    public static string WriteTasksScope = ApiIdentifier + ConfigurationManager.AppSettings["api:WriteScope"];
    public static string OfflineTasksScope = ApiIdentifier + ConfigurationManager.AppSettings["api:OfflineScope"];
    public static string[] Scopes = new string[] { ReadTasksScope, WriteTasksScope, OfflineTasksScope };

TaskWebApp Startup.Auth.cs scope addition at ConfigureAuth:

// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
                Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope} {Globals.OfflineTasksScope}"

Thank you for your help

Upvotes: 0

Views: 122

Answers (1)

Allen Wu
Allen Wu

Reputation: 16478

https://XXX.onmicrosoft.com/api/offline_access is a permission you customized in your web api app. It's not for getting a refresh token.

You just need to use offline_access here.

"&scope=" + "https://XXX.onmicrosoft.com/api/demo.read https://XXX.onmicrosoft.com/api/demo.write offline_access"

Upvotes: 1

Related Questions