No 3rd party refresh_token available with AzureAd connection

We are looking at allowing customers to access their Microsoft calendar from our .NET application using an initial login to Azure AD via an Auth0 enterprise connection.

We have created a POC where the user authenticates with a regular Auth0 web application, and we then query the Management API to obtain the access_token from the identities array on the user. Using this we have been able to query their calendar details successfully.

Now for a smoother user experience, we need to get hold of the refresh_token that AzureAD should also generate at login. But this is not set in the Auth0 user identities, or otherwise accessible. We have tried a number of things as suggested here, here and elsewhere but with no success.

From what I have read, it seems this did not used to be possible to obtain using enterprise connections, but now is. Is this correct, and have I missed any other config? If not, is there a good alternative?

Here is our setup and some things we have tried:

Azure app registration

  • API permissions set for email, openid, profile, offllne_access (plus others) and admin consent is granted for all
  • Authentication is set up to issue both ID tokens and Access tokens

Auth0

  • Application has these grant types ticked: Implicit, Authorization code, Refresh token, Client credentials. (Note that offline-access is not an available option)
  • AzureAD connection uses Microsoft Identity Platform (v2). Basic profile and Extended profile are ticked. We have not ticked other options such as Get user groups.

.NET client (using Auth0.NET package)

  • Standard OIDC scopes are set, in addition to “offlne_access”
  • Client Secret is set in Auth0 options
  • Refresh tokens requested using auth0Builder.WithAccessToken(o => o.UseRefreshTokens = true);

Thanks!

Hi @phil.cole,

Welcome back to the Auth0 Community and sorry for the late reply!

I have checked the configuration that you have mentioned above, and there seems to be no missing step. However when it comes to storing and managing IDP federated access and refresh tokens, Auth0 has introduced Token Vault , a recently added feature that is precisely designed for this scenario.

I would recommend checking it out, and if useful you can contact your Auth0 representative for enabling it.

Best regards,
Remus

1 Like

Having raised a service ticket with Auth0, we worked out that the issue was that I was setting the scope parameter that gets passed to the /authorize endpoint, but not the connection_scope parameter.

I may be missing some detail and overlap, but at a basic level:

  • scope handles what details we want back from the Auth0 User into our own application in their authentication token.
  • connection_scope handles the scope to request from the downstream IdP, i.e. what details we want from the user’s own system. Note this adds additional scopes on top of what Auth0 will send by default (openid profile etc), based on how you configure the application and connection in the Auth0 dashboard.

In the ASP.NET Core library, you can configure this using the LoginParameters property of Auth0WebAppOptions.

For example:

services.AddAuth0WebAppAuthentication(auth0Options => {
    // sets data we request from Auth0 to our app
    auth0Options.Scope = "openid profile email";

    // Adds a connection_scope querystring to the /authorize? call
    // Sets additional scopes to what we want back from the downstream IdP
    auth0Options.LoginParameters = new Dictionary<string, string>
    {
        { "connection_scope", "offline_access some_scope" }
    };
});
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.