Can keep access graph api by refresh token?

problem asker 61 Reputation points
2022-02-09T06:50:26.747+00:00

I want to confirm is it possible to keep access graph api by save new refresh token? (Azure AD tenant)

Refresh token has 90 days lifetime (refresh token), and I can get new refresh token from oauth2 api.

api:
POST https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/token
grant_type=refresh_token&client_id={AAD id}&refresh_token={refresh_token}

this api will response new refresh token, and this new refresh token will has new 90 days lifetime?

It means if send oauth2 api (grant_type=refresh_token) in period (ex: every 30 days), and always use new refresh token from response, then can keep access graph api forever? (except refresh token revoked)

172464-%E6%88%AA%E5%9C%96-2022-02-09-%E4%B8%8B%E5%8D%8820709.png

  • If this is possible, is there any risk? (I know if newest refresh token revoked, must re-auth again)
  • And this way will depend on different authentication protocol for Azure AD tenant? like device code/auth code/password?
  • And what's the best way to revoke old refresh token?

I found related Q & A:
Refresh token lifetime and refresh - it seems possible to keep access graph api by save new refresh token

For how long I can keep using the refresh token - from NagarjunaBorra-1157's reply seems it is not possible

Thanks for your help.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,652 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,564 questions
0 comments
Accepted answer
  1. CarlZhao-MSFT 37,216 Reputation points
    2022-02-09T10:35:30.547+00:00

    Hi @problem asker

    this api will response new refresh token, and this new refresh token will has new 90 days lifetime?

    Yes, sure.

    It means if send oauth2 api (grant_type=refresh_token) in period (ex: every 30 days), and always use new refresh token from response, then can keep access graph api forever? (except refresh token revoked)

    Of course, as long as your refresh token is still in the lifetime, then you can use it to get new access token and refresh token to achieve permanent access to graph api. The new refresh token you get will also have a lifetime of 90 days, it lifetime is not affected by your initial refresh token.

    If this is possible, is there any risk?

    It's not risky because the refresh token is kept in your client cookie, it's just a string of encrypted code and not in JWT format and only the Microsoft identity platform can read them. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant.

    And this way will depend on different authentication protocol for Azure AD tenant? like device code/auth code/password?

    This has nothing to do with your authentication protocol.

    And what's the best way to revoke old refresh token?

    There is currently no way to revoke the old refresh token, you just need to not use it, it will expire automatically after the lifetime expires. There is a way to revoke all refresh tokens though, but this will also invalidate your new refresh token.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest