4

I am using Azure Service management API and OAuth API for generating Access token. But while making the call for grant type "refresh_token", to refresh access token it returns new access token but that response does not has new refresh token. So I have to use old refresh token for refreshing access token. And the problem is after 5-6 hours, refreshing token returns error invalid_client(Error validating credentials. Invalid client secret is provided). In other cases like Office 365 app authentication via Azure AD it returns everything.

Is there is any specific parameter or header that I have to pass with the API call ?

Below is the screenshot of my code

enter image description here

Please help.

Thanks in advance

Amey Khadatkar
  • 278
  • 2
  • 14
  • Could you include the exact OAuth request you are making? Can you post the response? this would help to understand the issue. – Brent Schmaltz Feb 10 '16 at 14:29
  • The same thing happened to me. The response of the grant_type=authorization_code request has a refresh token, but the response of the grant_type=refresh_token has only the normal access token without refresh token. – acuntex Feb 11 '16 at 08:49
  • @BrentSchmaltz I have edited the post with my code. Please check and let me know if I am making any mistakes as the same code works for Office365 authentication – Amey Khadatkar Feb 12 '16 at 13:00
  • @AmeyKhadatkar Is it true that you can successfully execute the refresh_grant and that after a period of time it fails? Suppose you made the same call just after receiving the "access_token, refresh_token", would it succeed? If so, I would suspect the "refresh_token" has expired. – Brent Schmaltz Feb 12 '16 at 17:24
  • The refresh token which is supposed to expire after 90 days or so, expires in about 6-7 hours. This is also a problem I guess. – Amey Khadatkar Feb 13 '16 at 18:29

1 Answers1

0

If you use the v2 endpoint scopes are requested dynamically and a refresh token must be requested using "offline_access" scope. This is much different than in the v1 model, where scopes are pre-registered with the app registration and a refresh token is always returned w/o explicit scope. If you're using v1 & you don't get refresh token, it might be due to restricted security policy about refresh tokens by your ADFS provider, which is not sending back a refresh token to the API calling the OAuth authentication and authorization.

This is security enhancement/block to disable your application not to hold a lifetime refresh token that can be lived forever (if refreshed).

So if you can use v2 endpoint - use offline_access scope. Otherwise check security policies with you ADFS provider.

I run into the same problem as you & gathered most of the information that helped to answer this question from here: https://stackoverflow.com/a/44813531/4446128.

sergeyski.com
  • 451
  • 5
  • 10