Auth0 Token Refresh Does Not Automatically Refresh Azure AD Issued Access Token

Problem Statement:

We had configured Azure AD as an IdP. Initially, this worked as expected. On successful login, they got both an Access token and Refresh token issued by Azure AD. These were stored in the User profile on the Auth0 side for calling Microsoft Graph API.

However, after we refreshed the browser, only the Auth0 access token was refreshed. The Azure AD-issued access token in the User profile did not get refreshed.

Below is how we set up our environment:

  1. Configure an enterprise connection for Azure AD

  2. Install the React SDK

  3. Enable token refresh ( enabled by default for React )

  4. When making calls to /authorize, include the offline_access argument
    Refresh Tokens

Solution:

Auth0 has no mechanism to automatically update the Access tokens that originate from upstream IdP providers.

As an alternative, It is possible to manually force the renewal of an IDP Access Token, when it expires in an application, by manipulating the configuration of the connection endpoint. This eliminates the need to go through an interactive login flow.

You will find a description of the steps to do this in a published gist:

Let’s summarise the process described in the gist:

  1. use the Management API to make a call to the /api/v2/connections/{id} endpoint and copy the option object

https://auth0.com/docs/api/management/v2#!/Connections/get_connections_by_id

  1. patch the connection to update the connection configuration. You need to copy the options object from the first API call and then include it with the update to the upstream_params object. Make sure to specify the required scopes.

https://auth0.com/docs/api/management/v2#!/Connections/patch_connections_by_id

  1. Login using an Azure AD account identity. Once the user finishes the Authentication with Azure AD, they should have an Access Token and Refresh Token in the identities object ( User profile )

Please try this in a Dev tenant first to get comfortable with the process, then move it to Prod.

Then you can use the Azure AD Access Token stored in the User meta_data inside a Rule/Action for calling the MS Graph API.

Reference:

https://auth0.com/docs/connections/pass-parameters-to-idps