Azure AD provides refresh_token even I don't request and permissions does not have offline_access

Question

I'm having really hard time to understand what's going on. My is my SPA keeps getting refresh_token even I don't request it and permissions on Azure has no offline_access.

What can I do to NOT get refresh_token?

My request URL (notice no offline_access is requested)

https://login.microsoftonline.com/........./oauth2/v2.0/authorize?client_id=........&redirect_uri=........&response_type=code&scope=openid%20profile%20email%20User.Read&state=......&code_challenge=........&code_challenge_method=S256&response_mode=query

Permissions on Azure (no offline_access)

Consent screen (ask user to give offline access permission)

Result, I've refresh_token, not a good idea having refresh token on client.

Answer 1

It is a known issue when using azure ad v2.0 endpoint, related post here.

Also mentioned in offline_access:

This permission currently appears on all consent pages, even for flows that don't provide a refresh token (such as the implicit flow). This setup addresses scenarios where a client can begin within the implicit flow and then move to the code flow where a refresh token is expected.

But this does not affect that you don't want to get the refresh token, what you used is the auth code flow v2.0, just don't include the offline_access when requesting the token, then the refresh token will not be returned.

Or if you really don't what the app let you consent this permission, just use the auth code flow v1.0, then if you don't include offline_access when you request the code, it will not let you consent the offline_access permission.