Menu
I'm developing an SPA with Azure AD B2C as the identity provider. I'm using the MSAL JavaScript library and it's mostly working fine. I can create users, log in and get access tokens for my Web API back-end.
The only issue at the moment is that the B2C endpoint is not returning refresh tokens so when the access token expires, the acquireTokenSilent method in the UserAgentApplication class, which is meant to refresh expired access tokens using the refresh token, fails.
My application in B2C is configured with "Include web app / web API" and "Allow implicit flow" set to "Yes" in its Properties. In the API Access section, both the "openid" and "offline_access" scopes are ticked under "Access the user's profile". The application itself has "read", "write" and "user_impersonation" scopes (not sure if that matters).
"offline_access" is included in my scopes and I event tried creating an application one, like the read/write scopes and include that as well (as "https://mytenant.onmicrosoft.com/testapp/offline_access") but nothing seems to work. The responses never have a refresh token, neither for the id token not for the access token.
What I have noticed is that when I go to the SignUp-SignIn policy I created and try to run the endpoint from there, the "offline_access" scope isn't even available in the drop-down. Even if I copy the "run endpoint" link at the bottom and add the scope to the URL before running it, the response doesn't include a refresh token.
When I click on the link at the top, it seems to give me some details about the endpoint and only "openid" is under the supported scopes.
Not sure what I'm missing here so any ideas would be appreciated.
807
asked Aug 13 '17 18:08
You also can use the openid scope to request an ID token from Azure AD B2C. The authorization code that you acquired in from the /authorize endpoint. The redirect URI of the application where you received the authorization code.
Get a refresh token. To get a refresh token, you send a request to your Okta Authorization Server. The only flows that support refresh tokens are the authorization code flow and the resource owner password flow.
If that happens your API call will fail and you'll need to request authorization again to get new tokens. Refresh tokens expire after 180 days.
Refresh tokens never expire, unless revoked by the user.
The Run Now link generates an auth request that uses the implicit flow to log in. Implicit flows, by definition, do not allow you to obtain a refresh token due to security reasons. Therefore, the drop down does not give you the offline_access scope since it won't work. If you want a refresh token, you need to run through the confidential code flow. If you choose to, you can do this by manually modifying the URL that the "Run now" link generates. Specifically, in the URL:
Set response_type=code (not token)
Add "offline_access" to the list of scopes
Once you obtain a code, make a POST request as shown in the documentation to exchange the code for a refresh token.
92
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
