Azure AD. Does the Authorization Flow need to start with a browser call to get the authorization token for desktop apps?

Question

For background, see: this question

So, the first step in the Authorization Flow is to get the authorization token using a URL in the web browser like this. For a desktop app it needs to have the following signature (I un-encoded it to make it more readable):

https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize
?client_id={client id}
&response_type=code
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&response_mode=query
&scope=openid offline_access https://graph.microsoft.com/.default

This ends up at the specified redirectURL (assuming I set the same redirectUrl in the Application registration in Azure and authenticated. All good. The response looks something like this:

https://login.microsoftonline.com/common/oauth2/nativeclient?code=OAQABAAIAAAA...ggAA

That code is then used to generate an access_token and a refresh_token using a POST http request from my VBA (MS-Access)

https://login.microsoftonline.com/{tenant Id}/oauth2/v2.0/token

grant_type=authorization_code
client_id={client id}
scope=https://graph.microsoft.com/.default
redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
code=OAQABAAIAAAA...ggAA  <== ie the code that was copied from the URL in the Authorization step above

That call returns both an access_token (expires in 1 hour) and a refresh_token (default expiry in 90 days). The refresh_token is used to get another access_token after it expires.

So far, so good.

The first step (get the Authorizaion Code) is run in a browser and the resulting code is copy-pasted into my App to be used in the second step (to get the access_token). Each time the access_token expires, the refresh_token is used to acquire another access_token AND another refresh_token, giving another 90 days. That all works fine.

My question is this: After 90 days of inactivity both the access_token and the most recent refresh_token will have expired. Is it the case that I will then need to return to the first step, get a new Authorization Code via a browser window, copy and paste the code from the web browser url and use it for the second step?

Is it the case that I will always need to use a web browser to get an Authorization Code or is there some programatic way to do that which I have completely missed?

Thanks. Murray

Answer 1

Is it the case that I will then need to return to the first step, get a new Authorization Code via a browser window, copy and paste the code from the web browser url and use it for the second step?

Yes, you are right.

is there some programatic way to do that which I have completely missed?

Yes, resource owner password credential (ROPC) grant flow allows an application to sign in the user by directly handling their password. The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.