Authorization code + PKCE force to get a not secured Refresh token

Rémy BEULE DAUZAT 21 Reputation points
2020-11-06T11:04:38.427+00:00

Hello

I'm trying to implement the Authorization code + PKCE flow but I have a security problem with the refresh token.
I have a SPA in angular calling a backend.

When I call the token endpoint to get my Access token, I automatically get a refresh token. I didn't ask for it, but I still get it.
It seems to be forced by azure : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-individual-user-consent

I didn't put the offline_access. Is there a way to not received the refresh token ?

Another big problem for me : the first refresh token is not revoked when we ask a new refresh token. There is no token rotation.
The token (and the children) is not revoked if we reuse it or when we create a new one from it.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#refresh-the-access-token

All that is a security concern for me and has a big impact on my potential usage of the Authorization code + PKCE and on my UX.

Did I miss something ? Is there good practice to manage the refresh token in front ?

Thanks a lot

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,328 questions
{count} votes

Accepted answer
  1. 2020-11-06T16:44:20.847+00:00

    Hi again. The offline_access scope (the one that request a refresh token) is a default one. They are added to Azure AD as part of Azure AD - OAuth 2.0/OpenID Connect compliance. They are not part of any particular API. Also, currently there's no way to disable it.

    Refresh tokens do not get invalidated when new ones are issued.

    Let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.