Share via

Graph Api Oauth2 Refresh Tokens Expiring

JoonaFinland 0 Reputation points
2023-10-24T08:55:41.8733333+00:00

I am running into problems with several users' refresh tokens becoming invalidated randomly. This can happen to users who have had their calendars connected for a long time, and also users who literally have just connected their calendar and the token is expired when trying to fetch events or subscribed to calendar notifications.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,974 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carolyne-3676 211 Reputation points
    2023-11-15T16:52:13.1266667+00:00

    This issue can arise from several factors such as token revocation by the user, token expiration time, or token invalidation due to password reset or security events. Here are some possible steps you can take:

    1. Try and check the token expiration time and refresh tokens before making any Graph API requests. Ensure that the refresh token has not expired.
    2. You can try to implement a token refresh mechanism that automatically refreshes the access token when it is close to expiration. You can use the refresh_token grant type to obtain a new access token.
    3. If the user's password is reset or the user's account is deleted or disabled, the refresh token will become invalid. In this case, you will need to prompt the user to re-authenticate and grant permission again.

    You can use the Microsoft Graph API to retrieve the sign-in logs and audit logs. Relevant documentation can be found here Microsoft Graph API sign-in and audit logs

    0 comments
  2. Aaron Johnson 0 Reputation points
    2024-12-16T21:25:57.82+00:00

    For this:

    If the user's password is reset or the user's account is deleted or disabled, the refresh token will become invalid.

    is that true for all scopes? ie: a password reset (which happens for a lot of big corporate accounts every 90 days) will wipe out the refresh token that our application has for that user, and they'll have to re-authenticate with us? Asking because we've been working with the Google Calendar API's for years and a password reset on the Google side will only expire the refresh token if we ask for Gmail scopes, which we don't:

    https://developers.google.com/identity/protocols/oauth2#expiration

    so if it's true that Graph API refresh tokens expire for all scopes on Microsoft, we'll likely be having to have a much more robust flow for asking users to give us access again.

    AJ

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.