Share via

Retrieving MSAL Refresh Token

Harsha Vardhini 30 Reputation points
2023-10-29T18:08:01.24+00:00

Is there a workaround to get the refresh token using MSAL as it is not directly retrievable and my app may need it for later use? Additionally, what is the expiry time for refresh tokens for applications other than SPA, since this is not indicated? The use case for the refresh token is to authenticate a user again after server restarts and cache is cleared. I have tried using acquireTokenSilently and caching tokens in my database, however, the token still cannot be retrieved.

Microsoft Security Microsoft Entra Microsoft Entra ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Konstantinos Passadis 19,586 Reputation points MVP
    2023-10-29T18:28:16.6066667+00:00

    Hello @harsha vardhini !

    I suggest to have a look here

    https://learn.microsoft.com/en-us/entra/msal/dotnet/how-to/token-cache-serialization?tabs=aspnetcore

    --> Acquire Token Silently: acquireTokenSilently() is designed to retrieve tokens with no user interaction, and it will automatically use the refresh token

    ALSO :

    For the middle-tier service to make authenticated requests to the downstream service, it needs to secure an access token from the Microsoft identity platform. It only uses delegated scopes and not application roles. Roles remain attached to the principal (the user) and never to the application operating on the user's behalf. This occurs to prevent the user gaining permission to resources they shouldn't have access to.

    https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow

    The expiratiobn time :

    Refresh token MaxInactiveTime will be 90 days and MaxAgeMultiFactor will be until revoked.

    Token lifetime behavior

    You can configure the token lifetime, including:

    • Access and ID token lifetimes (minutes) - The lifetime of the OAuth 2.0 bearer token and ID tokens. The default is 60 minutes (1 hour). The minimum (inclusive) is 5 minutes. The maximum (inclusive) is 1,440 minutes (24 hours).
    • Refresh token lifetime (days) - The maximum time period before which a refresh token can be used to acquire a new access token, if your application had been granted the offline_access scope. The default is 14 days. The minimum (inclusive) is one day. The maximum (inclusive) 90 days.
    • Refresh token sliding window lifetime - The refresh token sliding window type. Bounded indicates that the refresh token can be extended as specify in the Lifetime length (days). No expiry indicates that the refresh token sliding window lifetime never expires.
    • Lifetime length (days) - After this time period elapses the user is forced to reauthenticate, irrespective of the validity period of the most recent refresh token acquired by the application. The value must be greater than or equal to the Refresh token lifetime value.

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow#configure-token-lifetime

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

  2. Konstantinos Passadis 19,586 Reputation points MVP
    2023-10-30T12:49:23.4733333+00:00

    Hello @harsha vardhini !

    Yes :

    https://learn.microsoft.com/en-us/entra/msal/dotnet/how-to/token-cache-serialization?tabs=aspnetcore

    Public client applications (desktop and mobile apps) should try to get a token from the cache before acquiring a token by another method. Acquisition methods on confidential client applications manage the cache themselves. This article discusses default and custom serialization of the token cache in MSAL.NET.

    https://learn.microsoft.com/EN-us/entra/identity-platform/msal-acquire-cache-tokens

    Several of the platforms supported by MSAL have additional token cache-related information in the documentation for that platform's library. For example:

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

  3. Admin SIQ Office365 0 Reputation points
    2024-05-16T07:03:55.79+00:00

    Hi @Konstantinos Passadis ,

    I am getting access token with the help of below code-

    final ConfidentialClientApplication app =
        ConfidentialClientApplication.builder(
                        config.getAzureOAuthClientId(), ClientCredentialFactory.createFromSecret(config.getAzureOAuthClientSecret()))
                .authority(config.getAzureOAuthAuthority())
                .build();

AuthorizationCodeParameters params = AuthorizationCodeParameters.builder(authorizationCode, new URI(getRedirectUrl())).scopes(Collections.singleton("scope")).build();
CompletableFuture<IAuthenticationResult> future = app.acquireToken(params);
result = future.get();

    Now my requirement is to get new access token silently. Can you please guide me how to get that?
    I have tried below code but it is returning null.

    PublicClientApplication pca = PublicClientApplication.builder(config.getAzureOAuthClientId())
        .authority(config.getAzureOAuthAuthority())
        .build();

SilentParameters silentParameters =
         SilentParameters
                 .builder(Collections.singleton("user.read"))
                 .build();
result = pca.acquireTokenSilently(silentParameters).join();

    Thank you!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.