0

I have an app that needs to connect to Graph API with my customer's credentials to get data.

In order to generate the credentials I did the following (python code

from msal import PublicClientApplication

AUTHORITY = 'https://login.microsoftonline.com/common'
MICROSOFT_LOGIN_ADDRESS = 'https://login.microsoftonline.com'

def generate_token(client_id, scopes):
    app = PublicClientApplication(client_id, authority=AUTHORITY)
    flow = app.initiate_device_flow(scopes=scopes)
    print(flow['message'])
    token = app.acquire_token_by_device_flow(flow)

    return token


token = generate_token(client_id, scopes)

refresh_token = token['refresh_token']
request_url =f"{MICROSOFT_LOGIN_ADDRESS}/{token['id_token_claims']['tid']}/oauth2/token

then I get use refresh_token and request_url to get access_token:

payload = { "client_id": client_id,
                   "scope": scopes,
                   "client_secret": client_secret,
                   "grant_type": "refresh_token",
                   "refresh_token": refresh_token,
            }
headers = {"Content-Type": "application/x-www-form-urlencoded"}

response = requests.post(url=request_url,
                         headers=headers, 
                         data=payload)

access_token = json.loads(response.text)['access_token']

That worked fine until customer admin changed his password and I started to get an error:

"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password.״

I wonder what is the correct way to get the refresh token

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
Alex L
  • 1,069
  • 2
  • 18
  • 33
  • Does this answer your question? [Failure to generate access token using refresh token for O365 API](https://stackoverflow.com/questions/50905271/failure-to-generate-access-token-using-refresh-token-for-o365-api) – AMC Mar 16 '20 at 19:18

1 Answers1

1

From the documentation

Refresh tokens can be invalidated or revoked at any time, for different reasons.

The documentation includes a table spelling out which events trigger revocation. For a public client application, the user changing their password will always revoke existing refresh tokens.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • Thanks, but this process does not make any sense - it means that each time the admin changes his password, I should contact him and regenerate my refresh_token? There surly must be a better way – Alex L Mar 16 '20 at 17:40
  • That is correct. If you're using Refresh Tokens then you need to reauthenticate users if they change their password. – Marc LaFleur Mar 16 '20 at 19:32
  • Thanks.Is there a better way to do the authentication? not via refresh tokens? – Alex L Mar 16 '20 at 20:01
  • Not if you need Delegated permission scopes. If you can use Application scopes, then using Client Credentials would allow you to authenticate without a user. These require an Admin to consent to the scopes. The scopes are also extremely permissive/broad, so it can be a challenge to receive consent for these. – Marc LaFleur Mar 17 '20 at 02:38