Azure AD B2C: How to get the refresh token in a MVC app?

Carol Lai 526 Reputation points
2021-03-08T15:04:04.527+00:00

I have obtained an ID token via a custom policy. How to get a refresh token for requesting a new ID token upon expiration?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,770 questions
{count} votes

Accepted answer
  1. Carol Lai 526 Reputation points
    2021-04-14T15:08:42.817+00:00

    I add the following options in appsettings.json

    "OpenIdConnect": {
    "ResponseType": "code id_token token",
    "Scope": [ "offline_access", "https://xxx.onmicrosoft.com/5969af44-e92c-44d1-8b45-9890304d1c19/Management" ],
    "SaveTokens": "true" // Save access token and refresh token
    `}

    and the following to the ConfigureServices(IServiceCollection services) method in Startup.cs

    services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
    {
    Configuration.Bind("OpenIdConnect", options);
    }

    Then use the following call to get new access token in my razor page

    var accessToken = HttpContext.GetTokenAsync("access_token").Result;

    The saved refresh token is being used behind the scene to get that new access token.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,256 Reputation points Microsoft Employee
    2021-03-09T09:09:11.797+00:00

    @Carol Lai Thanks for reaching out.

    Can you let us know which Oauth Flow are you using with the app ?
    If it is Authorization code grant flow which is most common, you need to utilize the token endpoint with scope sent as "offline_access"
    Read more here

    If the above does not help, please show us how are you doing it and how are you getting the access token.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


  2. VipulSparsh-MSFT 16,256 Reputation points Microsoft Employee
    2021-03-16T05:18:11.71+00:00

    @Carol Lai Can you confirm if you are using MSAL for .net as the library to make these calls or using OWIN as the middleware for implementing OIDC.

    Either using MSAL library or OWIN middleware, both automatically fetches the required tokens from B2C.
    Here is the code for your reference : https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi

    When you run this solution, you would find id_token, access_token and refresh_token are issued by B2C and also the scope is sent as offline_access, based on which the refresh token is issued.

    It is advisable to use MSAL as the library handles all the token issuance and maintains the same in the application cache. MSAL also helps in making the silent call which utilizes the refresh token to fetch another access-token from the IDP, in this case B2C.

    AcquireTokenSilentAsync is the process by which refresh_token is used to get new access_token, but, this is internally done. See AcquireTokenSilentAsync using a cached token for more details and other access patterns.

    The B2C policies (User FLows/Custom Policies) doesnt have an impact on scopes that can be used in the application. The policy only controls the lifetime of the tokens and that can be configured within the B2C policies. To read more on that you refer here:
    https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy