How work with the `offline_access` permission delegated by a user to an application?

Question

I have setup an app in Azure AD and granted it user-delegated permissions to access the user's resources.

In the authorization request I also added the offline_access scope, which according to the documentation, allows the app to interact with the user's resources (within the bounds of the permissions granted) without user acitvity.

I added a client_secret to the app and tried accessing the Graph API and query a user's resource. I did so as the application, using the client_credentials flow. This failed, returning an unauthorised response.

I researched a bit further and found, that using the client_credentials flow, I cannot access user-delegated permissions, only application permissions.

Why then the offline_acces scope? If this doesnt work when accessing as the application? Application permissions are too broad and in my case I will never be granted these by the IT admin.

Kind regards

Answer 1

offline_access scope means you get a refresh token from AAD. You can use that refresh token to get a new access token (and new refresh token) in a background worker, even after the user is no longer actively using the app. You need to cache that refresh token somewhere secure after the user has logged in and use that to get tokens and call the APIs needed.

Do remember to always replace the cached refresh token with the new one you get from the token refresh. And also refresh tokens expire, so you should occasionally just use the refresh token to get a new refresh token. They can also be completely revoked, in which case the user has to sign in again to provide your app with a working refresh token.