this api will response new refresh token, and this new refresh token will has new 90 days lifetime?
It means if send oauth2 api (grant_type=refresh_token) in period (ex: every 30 days), and always use new refresh token from response, then can keep access graph api forever? (except refresh token revoked)
Of course, as long as your refresh token is still in the lifetime, then you can use it to get new access token and refresh token to achieve permanent access to graph api. The new refresh token you get will also have a lifetime of 90 days, it lifetime is not affected by your initial refresh token.
If this is possible, is there any risk?
It's not risky because the refresh token is kept in your client cookie, it's just a string of encrypted code and not in JWT format and only the Microsoft identity platform can read them. Refresh tokens are bound to a combination of user and client, but aren't tied to a resource or tenant.
And this way will depend on different authentication protocol for Azure AD tenant? like device code/auth code/password?
This has nothing to do with your authentication protocol.
And what's the best way to revoke old refresh token?
There is currently no way to revoke the old refresh token, you just need to not use it, it will expire automatically after the lifetime expires. There is a way to revoke all refresh tokens though, but this will also invalidate your new refresh token.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.