No refresh token when using Passport and passport-azure-ad

Question

I'm attempting to use Passport to connect to Office365. I up getting the auth prompt and the access token is returned. The issue is that the refresh token is undefined.

My Setup

// In app.js
const creds = {
    redirectUrl: 'http://localhost:3000/token',
    clientID: '<myClientId>',
    clientSecret: '<mySecret>',
    identityMetadata: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
    allowHttpForRedirectUrl: true, // For development only
    accessType: 'offline',
    responseType: 'code',
    validateIssuer: false, // For development only
    responseMode: 'query',
    scope: [
        'Contacts.Read',
        ...
    ]
};

const callback = (iss, sub, profile, accessToken, refreshToken, done) => {
  console.log('Refresh Token: ', refreshToken); // this is undefined
  done(null, {
    profile,
    accessToken,
    refreshToken
  });
};

passport.use(new OIDCStrategy(creds, callback));

// When I authenticate
const passportSettings = {
  accessType: 'offline',
  approvalPrompt: 'consent'
};

// Authentication request.
router.get('/login', (req, res, next) => {
  passport.authenticate('azuread-openidconnect', passportSettings, (err, user, info) => {
        // Do stuff.
  });
});

Things I've tried:

• Un-authorizing the app for the user I signed up with.
• Moving the location of the accessType setting.

I'm really at a loss as to why this doesn't work. With the Google strategy just setting the type of 'offline' seems to be enough.

Answer 1

It looks like you need to add the offline_access scope to the app registration as well as the config. See https://github.com/AzureAD/passport-azure-ad/issues/322.