I have obtained an ID token via a custom policy. How to get a refresh token for requesting a new ID token upon expiration?
I add the following options in appsettings.json
"ResponseType": "code id_token token",
"Scope": [ "offline_access", "https://xxx.onmicrosoft.com/5969af44-e92c-44d1-8b45-9890304d1c19/Management" ],
"SaveTokens": "true" // Save access token and refresh token
and the following to the ConfigureServices(IServiceCollection services) method in Startup.cs
services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
Then use the following call to get new access token in my razor page
var accessToken = HttpContext.GetTokenAsync("access_token").Result;
The saved refresh token is being used behind the scene to get that new access token.
@CarolLai-5934 Thanks for reaching out.
Can you let us know which Oauth Flow are you using with the app ?
If it is Authorization code grant flow which is most common, you need to utilize the token endpoint with scope sent as "offline_access"
Read more here
If the above does not help, please show us how are you doing it and how are you getting the access token.
If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.
@CarolLai-5934 Can you confirm if you are using MSAL for .net as the library to make these calls or using OWIN as the middleware for implementing OIDC.
Either using MSAL library or OWIN middleware, both automatically fetches the required tokens from B2C.
Here is the code for your reference : https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
When you run this solution, you would find id_token, access_token and refresh_token are issued by B2C and also the scope is sent as offline_access, based on which the refresh token is issued.
It is advisable to use MSAL as the library handles all the token issuance and maintains the same in the application cache. MSAL also helps in making the silent call which utilizes the refresh token to fetch another access-token from the IDP, in this case B2C.
AcquireTokenSilentAsync is the process by which refresh_token is used to get new access_token, but, this is internally done. See AcquireTokenSilentAsync using a cached token for more details and other access patterns.
The B2C policies (User FLows/Custom Policies) doesnt have an impact on scopes that can be used in the application. The policy only controls the lifetime of the tokens and that can be configured within the B2C policies. To read more on that you refer here:
5 people are following this question.