Get refresh token with Azure AD V2.0 (MSAL) and Asp .Net Core 2.0

Asked 23/2, 2018 at 16:16 Answered 20/11, 2019 at 9:40

asp.net-core azure-active-directory azure-ad-graph-api refresh-token

I've got access_token from Azure Ad V2.0 endpoint to call Graph Api. But I have to do some actions in the api on behalf of user. So I need refresh_token to renew my access_token when it'll expire.

Is there any way to get Refresh token using MSAL in ASP .Net Core?

In microsoft documentaion they're telling it's possible to do by requesting /token endpoint. But I couldn't find how to do it using MSAL.

Asclepius answered 23/2, 2018 at 16:16 Comment(5)

MSAL usually handles the refresh token for you. You would need to implement the token cache properly for your app. – Alpaca 23/2, 2018 at 17:9

Is there any way to get it? I'll keep it in a database or Azure KeyVault – Asclepius 24/2, 2018 at 18:27

I think there is no API to get them. The way to implement what you want would be to make a token cache class which handles storing the data (and loading it) in Key Vault for example. – Alpaca 24/2, 2018 at 18:29

Though you should also add some in-memory caching in that case.. You don't want to hit Key Vault every single time. – Alpaca 24/2, 2018 at 18:30

You can look through the MSAL source if you want :) github.com/AzureAD/microsoft-authentication-library-for-dotnet – Alpaca 24/2, 2018 at 18:30

MSAL .NET does not expose the refresh token, but rather keeps it internal and handles all token refresh and caching logic on the app's behalf.

The docs you're referring to are referencing the protocol itself that MSAL is completing on your behalf. It goes to the /token endpoint with an authorization code (after the end user signs in), and is issued an Access and Refresh token. The Access Token is valid for 1 hour, and when it's expired, AcquireTokenSilent will automatically use the refresh token against the /token endpoint to get a new access token.

Shuster answered 25/2, 2018 at 6:24 Comment(6)

Thanks for the answer. I am using microservices architecture, so my back and front services are apart. The problem is to get access token from front service (js) and send it to .net core web api (back). Back service will call graph api and do some other things using this token. So I need to have refresh token in my back-end service to be able to manage tokens. – Asclepius 26/2, 2018 at 8:40

@S.Anna Have you taken a look at the on-behalf-of flow? I think it would be perfect for this scenario. Basically, your client app will get a token and send it to your backend (just like before). Then, the backend can send this token to Azure AD for a new token that can be used for a downstream API like the Microsoft graph. – Shuster 28/2, 2018 at 1:6

I've looked through the documentation. Now I want to implement on-behalf-of-flow scenario using MSAL and can't find any documentation. Can you help with any kind of example how to do it? – Asclepius 1/3, 2018 at 16:48

We don't have a code sample on the on-behalf-of flow yet, but here's the reference docs on the protocol which should get you on the right path. – Shuster 2/3, 2018 at 6:11

whilst this answer is correct when accessing pages, if youre on the same page and make an ajax request, this is not the case. – Gilstrap 15/6, 2020 at 12:44

My IDTokens are 1hr expiry, RefreshTokens 8hr... when the 8hrs is up, MSAL gives up just throws an exception when trying to get a new IDToken. Shouldn't it also manage the RefreshTokens by getting a new one when required? – Bile 18/9, 2020 at 13:36

I got a bit topsy-turvy on this, as well. Explaining a bit more based on my understanding.

For context, OAuth 2.0 code grant flow mentions the following steps:
- authorization, which returns auth_code
- using auth_code, to fetch access_token (usually valid for 1 hr) and refresh_token
- access_token is used to gain access to relevant resources
- after access_token expires, refresh_token is used to get new access_token
MSAL.NET abstracts this concept of refresh_token via TokenCache.
- There is an option to serialize TokenCache. See Token cache serialization in MSAL.NET. This is how to preserve sign-in info b/w desktop application sessions, and avoid those sign-in windows.
- AcquireTokenSilentAsync is the process by which refresh_token is used to get new access_token, but, this is internally done. See AcquireTokenSilentAsync using a cached token for more details and other access patterns.

Hope this clarifies on why TokenCache is the 'new' refresh_token in MSAL.NET, and TokenCache is what you would need to serialize and save. There are libraries like Microsoft.Identity.Client.Extensions.Msal that aid in this.

Fussbudget answered 21/10, 2019 at 7:55 Comment(0)

TokenCache is basically a JSON object which is served as byte array when you call SerializeMsalV3(). When you convert byte array to string, you will see both access token and refresh token. Then you can make a HTTP request to \token endpoint with this refresh token and grant_type: "refresh_token" body parameters.

IConfidentialClientApplication capp =
                    ConfidentialClientApplicationBuilder.Create(myClientId)
                        .WithClientSecret(myclientSecret)
                        .Build();

    capp.UserTokenCache.SetAfterAccess((TokenCacheNotificationArgs args) =>
    {
       exchangeTokenCacheV3Bytes = args.TokenCache.SerializeMsalV3();
       string jsonString = System.Text.Encoding.UTF8.GetString(exchangeTokenCacheV3Bytes);
    });

Fields answered 20/11, 2019 at 9:40 Comment(0)

Recommended topics

Hot tags