Menu
Currently, I'm having the user log in to Microsoft Live by sending a request in a web view to the following URL:
https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT ID]&scope=[SCOPES]&response_type=token&redirect_uri=[REDIRECT URI]&display=popup
This works perfectly, and I receive and save the access_token and authentication_token. Note that it doesn't return a refresh_token, even if I include the wl.offline_access scope.
The problem occurs when the access token expires and needs to be refreshed. I'm attempting to refresh the token using a method from Microsoft's documentation:
https://login.live.com/oauth20_token.srf?client_id=[CLIENT ID]&redirect_uri=[REDIRECT URI]&client_secret=[CLIENT SECRET]&refresh_token=[WHAT TO PUT HERE?]&grant_type=refresh_token
However, a refresh_token was never returned in the login, so I'm not sure what to pass in. Note that sending the authentication_token (what is it supposed to be used for?) as the refresh_token parameter results in the following:
{
"error": "invalid_grant",
"error_description": "The provided value for the input parameter 'refresh_token' is not valid."
}
Does anyone know how to properly refresh a Microsoft Live token through their REST API?
356
After further reading through Microsoft's documentation and experimenting, I was able to figure out how to do this.
The problem with my initial attempt was that I was requesting the wl.offline_access scope while using the implicit grant flow, as their documentation says not to:
Note Do not include the
wl.offline_accessscope if you're using the implicit grant flow (response_type=token).
So, I changed my URL to the following (using the authorization code grant flow since I need offline access):
https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT ID]&scope=[SCOPES]&response_type=code&redirect_uri=[REDIRECT URI]&display=popup
Then, once I received the code in the callback, I called the following endpoint to retrieve the access and refresh tokens:
https://login.live.com/oauth20_token.srf?client_id=[CLIENT ID]&redirect_uri=[REDIRECT URI]&client_secret=[CLIENT SECRET]&code=[CODE FROM AUTHORIZATION]&grant_type=authorization_code
NOTE: Microsoft's documentation is INCORRECT for this endpoint in the above links. This is a GET request, NOT a POST request as their documentation claims.
This method finally returned the access_token and refresh_token parameters, and I was able to use both as expected.
103
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With