Share via

How to get Refresh tokens through MSAL

Jakob Olason 0 Reputation points
2024-10-22T09:26:53.8766667+00:00

This might be a very simple question, with a very simple answer. But I have been looking for hours, and i simply can't find a straigthforward answer.

In this project, we are still using .acquireTokenByCode - we know it is not reccomended - which gives no refresh tokens. This means when the accesstoken expires, the user needs to log out/in. 

const tokenResponse = await msalInstance.acquireTokenByCode(req.session.authCodeRequest);

which gets it's scopes from 

https://graph.microsoft.com/.default

NOTE: We use an Entra platform to manage scopes etc.

and authCodeRequest is configured using a standard function redirectToAuthCodeUrl provided by Microsoft. Now the problem arises in, that this gives account information and accessToken. But no refresh token.

I tried this:

const silentRequest = {
                    account: tokenResponse.account,
                    scopes: ["https://graph.microsoft.com/.default", "offline_access"],
                    forceRefresh: false,
                };
                const tokenResp = await msalInstance.acquireTokenSilent(silentRequest);

which also did not yield any refresh tokens, and only works if the accessToken is valid. If not, it gives me an error saying the obvious - That i have an invalid authentication token - which just makes me feel even more lost

I have attempted to research this topic, but the documentation is very wonky and inconsistent when trying to learn authentication - and not neccessarily understanding what needs to be done on the backend and frontend - so i am reaching out for a sweet and understanding soul to explain how i can gain los refresh tokens. If it even is possible

kind regards, Jakob Olason

just bonus info, on which redirectToAuthCodeUrl im talking about:

async function redirectToAuthCodeUrl(req, res, next, authCodeUrlRequestParams, authCodeRequestParams) {
    // Generate PKCE Codes before starting the authorization flow
    const { verifier, challenge } = await cryptoProvider.generatePkceCodes();

    // Set generated PKCE codes and method as session vars
    req.session.pkceCodes = {
        challengeMethod: "S256",
        verifier: verifier,
        challenge: challenge,
    };

    /**
     * By manipulating the request objects below before each request, we can obtain
     * auth artifacts with desired claims. For more information, visit:
     * https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_node.html#authorizationurlrequest
     * https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_node.html#authorizationcoderequest
     **/

    req.session.authCodeUrlRequest = {
        redirectUri: REDIRECT_URI,
        responseMode: "form_post", // recommended for confidential clients
        codeChallenge: req.session.pkceCodes.challenge,
        codeChallengeMethod: req.session.pkceCodes.challengeMethod,
        ...authCodeUrlRequestParams,
    };

    req.session.authCodeRequest = {
        redirectUri: REDIRECT_URI,
        code: "",
        ...authCodeRequestParams,
    };

    // Get url to sign user in and consent to scopes needed for application
    try {
        const authCodeUrlResponse = await msalInstance.getAuthCodeUrl(req.session.authCodeUrlRequest);
        res.redirect(authCodeUrlResponse);
    } catch (error) {
        next(error);
    }
}
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 126.2K Reputation points MVP Volunteer Moderator
    2024-10-22T16:32:38.6233333+00:00

    MSAL does not expose refresh tokens, they changed this way back.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.