3

I am unable to get Refresh Token using Azure Service Principal (using Client ID & Client Secret)

Kindly help me in getting the refresh token via CURL and how to use it.

When i run the below CURL command in Windows CMD Prompt, i am getting Access Token. Whereas i am not getting refresh token along with it.

am i missing something here ?

Input :

curl -X POST https://login.microsoftonline.com/12345/oauth2/token ^
-F grant_type=client_credentials ^
-F resource=https://management.core.windows.net/ ^
-F client_id=12345-abcde ^
-F client_secret=12345abcde

Output:

{
    "token_type": "Bearer",
    "expires_in": "3600",
    "ext_expires_in": "3600",
    "expires_on": "1554368330",
    "not_before": "1554364430",
    "resource": "https://management.core.windows.net/",
    "access_token": "XXXXXXXXXXXXX"
}

As the output doesn't have refresh token (how do i get it)

Kindly requesting for any possible insights

Madhanan Balaram
  • 33
  • 1
  • 3

3 Answers3

2

You don't get refresh tokens with client id and secret. It doesn't make sense. Refresh tokens only make sense when a user is involved. Since there it allows you to get new tokens without prompting the user to login again.

You don't need a refresh token. You can get new tokens with client id and secret when you want.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • 1
    I think @juunas is correct. Notice that you're using `client_credentials` as the `grant_type`. In case you're really interested in user based flow where refresh token would be valid, consider authorization code flow as described here.. https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code .. On a side note, here is another SO thread which talks about Client Credentials grant and refresh tokens simply from OAuth standpoint (not specifically Azure AD's implementation) https://stackoverflow.com/questions/43340580/oauth-client-credential-flow-refresh-tokens – Rohit Saigal Apr 08 '19 at 16:11
  • Many Thanks Juunas & Tony ju & Rohit Saigal – Madhanan Balaram Apr 16 '19 at 10:58
  • @juunas In my scenario users are involved. And I cannot redirect to the webpage every hour. So, I would need a refresh token. Any idea how do we implement that? – Pankaj Lilan Oct 15 '19 at 08:30
  • Which flow are you using? If implicit, you can use MSAL.js to refresh tokens automatically. – juunas Oct 15 '19 at 08:31
1

Change the grant_type to 'password', add username and password to the request. 

curl -X POST https://login.microsoftonline.com/12345/oauth2/token ^
-F grant_type=password ^
-F resource=https://management.core.windows.net/ ^
-F client_id=12345-abcde ^
-F client_secret=12345abcde ^
-F username=user@XX.onmicrosoft.com ^
-F password=******

You will be able to get the refresh_token.

{
"token_type": "Bearer",
"scope": "User.ReadWrite.All",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1554711949",
"not_before": "1554708049",
"resource": "https://management.core.windows.net/",
"access_token": "******",
"refresh_token": "******"
}

You can use the refresh_token to refresh the access token.

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
0

Given an existing refresh token, this request gets a new access token and a new refresh token, which one can use to iteratively fetch new ones before the expiration period, e.g. with a timer based process.

curl 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
     -H "Origin: https://localhost" \
     -H 'content-type: application/x-www-form-urlencoded;charset=utf-8' \
     --data-raw "client_id=${CLIENT_ID}&refresh_token=${REFRESH_TOKEN}&grant_type=refresh_token&scope=openid%20profile%20User.Read%20offline_access"
Devis L.
  • 313
  • 2
  • 11