Share via

Why without Consent AzureAD Application Refresh Token gets delivered

Maik Brauer 0 Reputation points
2024-04-13T12:17:40.4+00:00

Trying to get an access_token and refresh_token in. For this I am doing an oauth2 call with help of

https://login.microsoftonline.com/{{ Tenant-ID }}/oauth2/v2.0/authorize?......

and where the response_type is code. With help of the CODE the next request will be the TOKEN call

https://login.microsoftonline.com/{{ Tenant-ID }}/oauth2/v2.0/token

with the scope:

--data-urlencode 'scope=https://graph.microsoft.com/user.read offline_access'

 

Now when I only allow the Consent "User.Read" to be allowed and I put the Scope "offline_access" inside the URL-request I am getting anyway the Refresh_Token delivered, even though it should not be allowed as the "offline_access" API permission is NOT configured/allowed in Azure Porta / Application.

 

But nevertheless getting:

"token_type": "Bearer",
"scope": "profile openid email https://graph.microsoft.com/User.Read",
"expires_in": 4428,
"ext_expires_in": 4428,
"access_token": "eyJ0eXAiOiJKV1QiLCJu..............",
"refresh_token": "0.AUcAuGA_3_QwX0CgVgAhyncAz5epG.................."
}

From what I have read is, that we need to add and approve the consent for that ("offline_access). Any idea why that is getting anyway delivered in the response? Thanks.

Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gudivada Adi Navya Sri 21,090 Reputation points Moderator
    2024-04-17T08:53:17.58+00:00

    Hi @Maik Brauer

    Thank you for posting this in Microsoft Q&A.

    I understand you question that Why without Consent Azure AD Application Refresh Token gets delivered.

    In general, there are two types of consents: one is user consent (1) and another is admin consent (2).

    User consent is usually initiated when a user signs in to an application. After the user has provided sign-in credentials, they're checked to determine whether consent has already been granted. During admin consent, a Privileged Administrator may grant an application access on behalf of other users (usually, on behalf of the entire organization).

    If admin given scope consent via Application in Microsoft Entra. User does not get consent prompt. If no previous record of user or admin consent for the required permissions exists, the user is directed to the consent prompt window to grant the application the requested permissions.

    I hope you have seen the similar consent as in the image below.

    By clicking 'accept', you agree to all the permissions included in the request.User's image

    we need to add and approve the consent for that ("offline_access).

    The scope parameter in Microsoft's authorization code flow allows apps to declare the resource they want the token for during token redemption. We can add offline_access scope while requesting an access token without adding it to the application. Furthermore, offline_access scope does not require admin consent. We can receive a consent prompt when requesting an authorization code.User's image

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.