0

I'm using Active Directory for user access to our app (I've created an app and registered it in AD) but having trouble getting a refresh token from the token response.

In Startup.cs I define the Open Id Connect Options:

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            SlidingExpiration = true
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ApiConstants.AAD_WebClientId,
                Authority = Authority,
                TokenValidationParameters = new TokenValidationParameters { SaveSigninToken = true,  },
                Notifications = new OpenIdConnectAuthenticationNotifications()
                {
                    RedirectToIdentityProvider = context =>
                    {
                        if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
                        {
                            // ensure https before redirecting to Azure
                            if (!context.Request.IsSecure)
                            {
                                context.Response.Redirect(
                                    $"https://{context.Request.Uri.Authority}{context.Request.Uri.AbsolutePath}");
                                context.HandleResponse();
                                return Task.FromResult(0);
                            }
                        }

                        return Task.FromResult(0);
                    },

                    // If there is a code in the OpenID Connect response, 
                    // redeem it for an access token and refresh token, and store those away.
                    AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                    AuthenticationFailed = OnAuthenticationFailed
                }
            });

My OnAuthorizationCodeReceived method is:

private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
    {
        var code = context.Code;

        ClientCredential credential = new ClientCredential(ApiConstants.AAD_WebClientId, ApiConstants.AAD_CertWeb);
        AuthenticationContext authContext = new AuthenticationContext(Authority);

        // If you create the redirectUri this way, it will contain a trailing slash.  
        // Make sure you've registered the same exact Uri in the Azure Portal (including the slash).
        var builder = new UriBuilder(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
        builder.Scheme = "https";
        if (builder.Uri.IsDefaultPort)
        {
            builder.Port = -1;
        }
        //n.AuthenticationTicket.Properties.RedirectUri = builder.ToString();

        // this doesn't return a refresh token???
        AuthenticationResult result =
            await
                authContext.AcquireTokenByAuthorizationCodeAsync(code, builder.Uri, credential,
                    ApiConstants.AAD_Audience);
    }

Problem is, the token returned doesn't have a refresh token, nor is it sliding so every hour we are being logged out. Is there anything I can do in Active Directory or in my app to turn on/receive Refresh Tokens?

Or is it that I'm receiving Refresh Tokens but the AuthenticationResult class isn't exposing this property back to me?

Colin
  • 2,442
  • 5
  • 24
  • 30

1 Answers1

0

Just stumbled over this when investigating the same issue.

If you monitor the network traffic using a tool like Fiddler, you will see the refresh_token is indeed returned, it's just not exposed.

The below link gives more information.

http://www.cloudidentity.com/blog/2015/08/13/adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed/

DavidReid
  • 449
  • 1
  • 5
  • 21