No refresh token is available on Microsoft AzureAD

t_onodera · April 23, 2020, 1:08am

Hi everyone,

I am trying to connect to Microsoft Graph API from server side program via Auth0 API.
I referred Auth0 document below and can get an access token but can not refresh token.

https://auth0.com/docs/tokens/concepts/idp-access-tokens#renew-tokens

API, /api/v2/user/{user-id} endpoint ,will return identities array but it don’t have refresh token data like below.

Any ideas or advice are welcome.

Thank you

{
  "created_at": "2020-04-22T01:37:40.559Z",
  "email": "myemail@example.com",
  "email_verified": true,
  "identities": [
    {
      "provider": "waad",
      "access_token": "eyJ...snipped...7bg",
      "expires_in": 3599,
      "user_id": "z4L...snipped...F3M",
      "connection": "azureAD",
      "isSocial": false
    }
  ],
  "identity_api": "microsoft-identity-platform-v2.0",
  "name": "MY NAME",
  "nickname": "MY NICK NAME",
  "oid": "ce48...snipped...6551",
  "picture": "https://s.gravatar.com/avatar/2da8...snipped...?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fdefault.png",
  "tenantid": "32ea...snipped...093c1",
  "updated_at": "2020-04-22T01:38:42.682Z",
  "user_id": "waad|z4LA...snipped...6F3M",
  "last_ip": "113.43.xx.xx",
  "last_login": "2020-04-22T01:38:42.682Z",
  "logins_count": 2
}

sidharth.chaudhary · April 23, 2020, 7:22am

Hi @t_onodera, Welcome to the Auth0 Community!

Have you tried adding connection_scope= “offline_access” in the auth0 /authorize request?
Ideally this will pass “offline_access” as one of the scope to the upstream microsoft /authorize request and you should be able to get the idp refresh token for Azure AD in the /api/v2/user/{user-id}. I remember I had tested this on a quickstart with python SDK before and it worked. I added it in the authorize redirect call. Let me know how you go!

konrad.sopala · April 23, 2020, 7:48am

Thanks for contributing here Sidharth!

t_onodera · April 23, 2020, 10:16am

Thank you very much, @sidharth.chaudhary

I resolved this issue by your advice!
I added “offline_access” to scope parameter on the authorize redirect call, and then, logged in , I could get a refresh token in identities array.

Your advice helped me! Thank you very much again!

konrad.sopala · April 24, 2020, 6:07am

Glad you have it working @t_onodera!