0

How I can enable multi resource support in iOS using ADAL.Searched in so many sites, but finding it difficult to understand the flow with multiple resources, with Refresh Token and Access Token.Can anyone explain this flow briefly please?

According to library, ADTokenCacheStoreItem will have accessToken will be nil, in case the item stores multi-resource refresh token.But whenever I will call acquireTokenWithResource:clientId:redirectUri: I am getting both access token and refresh token.How I can tell the library that mine is multi source request.Is there any settings I need to do?

/*! The access token received. Should be nil, in case the item stores multi-resource refresh token. / @property NSString accessToken;

And also , do I need to call the acquireTokenWithResource:clientId:redirectUri every time before calling each API with or without different end points.Or is it my responsibility to cache/store the access token and expiry date for each resource? Also how I can handle silent login in multi resource case?

Shyam
  • 417
  • 4
  • 16
  • 1
    I don't quite follow your concerns. Assuming you have issued an authorisation request for "resource1" and received a multi-resource refresh token, then when you issue an authorisation request for "resource2" then you will simply receive an access token without the user being prompted to authenticate (unless the refresh token has expired between the original request and now). You can use `acquireTokenWithResource:clientId:redirectUri:promptBehavior:userId:extraQueryParameters:completionBlock:` to ensure a failure rather than a prompt if that is your requirement – Paulw11 Oct 12 '16 at 09:42
  • Consider I have 10 API calls(each call requires access token) , 8 having resource1 , and remaining 2 having resource2, in this case do I need to call the acquireTokenWithResource:clientId:redirectUri: method 10 times? Or do we need to maintain the cache mapping of resourceID and Access Token and we only have to handle the accessToken expiration case for each particular resource? – Shyam Oct 12 '16 at 10:14
  • You call `acquireTokenWithResource:clientId:redirector:` before each attempt to access a resource. If there is a valid token in the cache, then that token will be returned. If there isn't then the library will attempt to use the refresh token to obtain an access token. If the refresh token has expired then the user will be prompted to re-authenticate. – Paulw11 Oct 12 '16 at 10:23
  • Thanks for your suggestion. I tried with the above approach, but I am getting different Refresh Tokens for each attempt of calling acquireTokenWithResource:clientId:redirector: Is it expected? (I thought only access token will get differ for each Resource request)? And how I can get Refresh Token silently if the token get expired? – Shyam Oct 12 '16 at 13:22

1 Answers1

1

With ADAL, you simply need to call some form of acquireToken* each time your application needs an access token, presumable to make an API call. ADAL should take care of token caching, refreshing, etc for you. You shouldn't ever have to manually use refresh tokens.

Refresh tokens from Azure AD are inherently "multi-resource". That is, you can ask for an access token to resource 1, receive that access token + refresh token pair, and then use the refresh token to get an access token to resource 2. This allows you to get tokens for different resources "silently", meaning the user only has to sign-in once.

dstrockis
  • 1,173
  • 5
  • 6
  • Thanks for your response. Last one doubt ..What if in case Refresh Token got expired? As I remember the validity of refresh token will be 14 days.Is there any way I can get it silently once it got expired, without prompting the user to login again? – Shyam Oct 18 '16 at 07:44
  • 1
    Refresh tokens from AAD don't have a fixed lifetime. The only thing you can do is try to use them, and if the request fails, ask the user to sign in again. You should always replace your cached refresh token with the new refresh token you received from AAD on each token request. If you're using ADAL, all of this is taken care of for you. – dstrockis Oct 18 '16 at 16:11