question

CarolLai-5934 avatar image
0 Votes"
CarolLai-5934 asked CarolLai-5934 answered

Azure AD B2C: How to get the refresh token in a MVC app?

I have obtained an ID token via a custom policy. How to get a refresh token for requesting a new ID token upon expiration?

azure-ad-b2b
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JitendraRai-2073
Are you suggesting me to switch from OpenIdConnect to Authorization-Code Grant flow of OAuth or OAuth2?

I'm using the methods provided from Microsoft.AspNetCore.Authentication.OpenIdConnect in my .Net Core 2.1 project. I don't call REST API directly. What package do I use in .Net Core 2.1 project to use the Authorization-Code Grant flow of OAuth or OAuth2 protocol?

0 Votes 0 ·
CarolLai-5934 avatar image
0 Votes"
CarolLai-5934 answered

I add the following options in appsettings.json

"OpenIdConnect": {
"ResponseType": "code id_token token",
"Scope": [ "offline_access", "https://xxx.onmicrosoft.com/5969af44-e92c-44d1-8b45-9890304d1c19/Management" ],
"SaveTokens": "true" // Save access token and refresh token
`}


and the following to the ConfigureServices(IServiceCollection services) method in Startup.cs

services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
Configuration.Bind("OpenIdConnect", options);
}


Then use the following call to get new access token in my razor page

var accessToken = HttpContext.GetTokenAsync("access_token").Result;


The saved refresh token is being used behind the scene to get that new access token.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered CarolLai-5934 edited

@CarolLai-5934 Thanks for reaching out.

Can you let us know which Oauth Flow are you using with the app ?
If it is Authorization code grant flow which is most common, you need to utilize the token endpoint with scope sent as "offline_access"
Read more here

If the above does not help, please show us how are you doing it and how are you getting the access token.



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.




· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm using the custom policy in
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/master/LocalAccounts/TrustFrameworkBase.xml
Line 411 says <Protocol Name="OpenIdConnect" />

My target framework is .Net Core 2.1.
The following code gives me an id token in the form data when OnTokenValidated event is called.

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(o => Configuration.Bind("AzureADB2C", o));
services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
var onTokenValidated = options.Events.OnTokenValidated;
options.Events.OnTokenValidated = context =>
{
AzureAdOpendIdHandler.OnTokenValidated(context);
return Task.CompletedTask;
};
});
Based on
https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect#get-a-token, what method in OpenIDConnect to obtain the access and refresh tokens?

0 Votes 0 ·

@@CarolLai-5934 The same article shows that you can get an access token provided you go to /token endpoint with Scope = offline_access in request.

0 Votes 0 ·

@vipulsparsh-MSFT
I don't know how to get the access and refresh tokens in my MVC app. Here are my questions.

  1. I get the id token only via the custom policy and OpenIDConnect class. How can I get the code to return in the response? I cannot format the REST call because OpenIDConnect class is the one does the REST call.

  2. Are you saying that I can only obtain the token via a REST call? Is there a method in OpenIDConnect class I can use to obtain the access and refresh token?



0 Votes 0 ·
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered CarolLai-5934 edited

@CarolLai-5934 Can you confirm if you are using MSAL for .net as the library to make these calls or using OWIN as the middleware for implementing OIDC.

Either using MSAL library or OWIN middleware, both automatically fetches the required tokens from B2C.
Here is the code for your reference : https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi

When you run this solution, you would find id_token, access_token and refresh_token are issued by B2C and also the scope is sent as offline_access, based on which the refresh token is issued.

It is advisable to use MSAL as the library handles all the token issuance and maintains the same in the application cache. MSAL also helps in making the silent call which utilizes the refresh token to fetch another access-token from the IDP, in this case B2C.

AcquireTokenSilentAsync is the process by which refresh_token is used to get new access_token, but, this is internally done. See AcquireTokenSilentAsync using a cached token for more details and other access patterns.

The B2C policies (User FLows/Custom Policies) doesnt have an impact on scopes that can be used in the application. The policy only controls the lifetime of the tokens and that can be configured within the B2C policies. To read more on that you refer here:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not using the followings:
79572-image.png

I'm using
79545-image.png

Currently, it automatically fetches id token and creates cookies. I have tried to change the ResponseType to OpenIdConnectResponseType.CodeIdToken, but it keeps re-signing in.
79535-image.png

Do you have an example using Microsoft.AspNetCore.Authentication.OpenIdConnect?


0 Votes 0 ·
image.png (35.9 KiB)
image.png (42.4 KiB)
image.png (15.7 KiB)