Is it possible to refresh a token if the application does not have access to a browser control or http context? I have a WinForm that logs a user in and gets consent, it then passes the token to a windows service so files can be uploaded to OneDrive. When the token expires, it seems all the methods for refreshing a token require a callback URL.
Asked
Active
Viewed 1,050 times
1 Answers
0
You can do this if you've requested the wl.offline_access scope and you're using the Authorization Code grant flow in OAuth 2.0. Once the user has logged in through OAuth, you'll receive an access_token which is valid for 1 hour, and a refresh_token, which is valid for a long time.
Each time your service needs to do work on the user's behalf, you can redeem the refresh_token for a new access_token and refresh_token, and then use the access_token to do work. Make sure you save the new refresh_token you get back as well, to make sure that you extend the expiration.
This way you can have a service that performs actions on behalf of the user for a long time, without needing the user to sign in again. However, it is possible for the refresh_token to expire or become invalid, so you will need to handle situations where you are unable to redeem the refresh_token.
Ryan Gregg
- 2,015
- 13
- 16