We are looking at allowing customers to access their Microsoft calendar from our .NET application using an initial login to Azure AD via an Auth0 enterprise connection.
We have created a POC where the user authenticates with a regular Auth0 web application, and we then query the Management API to obtain the access_token from the identities array on the user. Using this we have been able to query their calendar details successfully.
Now for a smoother user experience, we need to get hold of the refresh_token that AzureAD should also generate at login. But this is not set in the Auth0 user identities, or otherwise accessible. We have tried a number of things as suggested here, here and elsewhere but with no success.
From what I have read, it seems this did not used to be possible to obtain using enterprise connections, but now is. Is this correct, and have I missed any other config? If not, is there a good alternative?
Here is our setup and some things we have tried:
Azure app registration
- API permissions set for email, openid, profile, offllne_access (plus others) and admin consent is granted for all
- Authentication is set up to issue both ID tokens and Access tokens
Auth0
- Application has these grant types ticked: Implicit, Authorization code, Refresh token, Client credentials. (Note that
offline-accessis not an available option) - AzureAD connection uses Microsoft Identity Platform (v2). Basic profile and Extended profile are ticked. We have not ticked other options such as Get user groups.
.NET client (using Auth0.NET package)
- Standard OIDC scopes are set, in addition to “offlne_access”
- Client Secret is set in Auth0 options
- Refresh tokens requested using
auth0Builder.WithAccessToken(o => o.UseRefreshTokens = true);
Thanks!