Unable to get refresh token of https://management.azure.com/ using PowerShell

Question

I am trying to get Access token and refresh token for the "https://management.azure.com/" resource using PowerShell, but I am getting an only Access token. I need a refresh token as well. I share my code as below.

$clientID = '1xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
$secretKey = 'kdfudifkldfliKASDFKkdfjd-ddkjfidysikd'
$tenantID = 'fxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

$password = ConvertTo-SecureString -String $secretKey -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($ClientID,$password)
Connect-AzureRmAccount -ServicePrincipal -Credential $credential -Tenant $tenantID

$authUrl = "https://login.windows.net/" + $tenantID + "/oauth2/token/"
$body = @{
   "resource" = "https://management.azure.com/";
   "grant_type" = "client_credentials";
   "client_id" = $ClientID
   "client_secret" = $secretKey
}

Write-Output "Getting Authentication-Token ..." 
$adlsToken = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body
Write-Output $adlsToken

------------output---------------

Getting Authentication-Token ...
token_type     : Bearer
expires_in     : 3599
ext_expires_in : 3599
expires_on     : 1597999269
not_before     : 1597995369
resource       : https://management.azure.com/
access_token   : J0uYFoioURT4CdISuUrRrr...

In your case, the correct way is to run your script again to get the new access token instead of using the refresh token to get a new one. — Joy Wang, Aug 24 '20 at 06:35

Carl Zhao · Accepted Answer · 2020-08-21T12:16:21.447

0

The spec states the Client Credentials grant type MUST NOT allow for the issuing of refresh tokens. So the answer is, you have to use a different grant type to receive a refresh token with your access token.

Therefore, it is recommended that you use the auth code flow, which will return the refresh token to you when you request the token.

Update:

edited Aug 21 '20 at 12:16

answered Aug 21 '20 at 11:04

Carl Zhao

8,543
2
11
19

then, what should be the grant type for this? – Ashish-BeJovial Aug 21 '20 at 11:29
I guess body parameters are wrong to make a request. Can you please suggest the correct parameters? @Carl Zhao! – Ashish-BeJovial Aug 21 '20 at 11:42
@Ashish-BeJovial First you need to request the "code" in the browser according to the document, and then use the "code" to request the token. – Carl Zhao Aug 21 '20 at 12:10
is this code generated from somewhere or I can paste anything as value of code? – Ashish-BeJovial Aug 21 '20 at 12:20
This code is unique, it needs you to obtain it in the browser according to your request parameters, there is a detailed explanation in the document I provided. – Carl Zhao Aug 21 '20 at 12:25
You can make a reference based on this example first: https://swimlane.com/blog/microsoft-oauth2-implementation-3/ – Carl Zhao Aug 21 '20 at 12:30
@Ashish-BeJovial Hi, Give me some time and I will write a example for you based on your question. – Carl Zhao Aug 21 '20 at 12:32
Thanks a lot for this effort @Carl, it will be a great help. – Ashish-BeJovial Aug 24 '20 at 06:17
Hi @Carl, have you got chance to have a look on this? – Ashish-BeJovial Aug 26 '20 at 07:45
@Ashish-BeJovial Hi, Sorry for my late reply, I found a similar one, please see: https://stackoverflow.com/questions/58200571/can-i-use-mfa-app-passwords-with-azure-oauth2-0-ropc – Carl Zhao Aug 26 '20 at 10:51
@Ashish-BeJovial Have you got solution for this? – Nachiappan R May 25 '22 at 17:27
yes, But I have changed the way to get an access tokens. At the time of installation of my desktop app. I copied the powershell script in appdata folder, and as my application run that powershell will be execute save an access token in Azure Blob, from blob I am able to continue to use that token. I hope this will help you. – Ashish-BeJovial May 27 '22 at 18:47

Unable to get refresh token of https://management.azure.com/ using PowerShell

1 Answers1

Linked