MSAL - Azure SSO - where is the refresh token?

Question

I'm trying to implement SSO for an app using Angular & .NET 2.2. I'm kind of stuck with the refresh token though. The login works and I can see that the service is sending lots if login info, but without the refresh token.

 loginAD() {
this._authService.loginPopup()
  .subscribe({
    next: (r) => {
      console.log('Microsofot Login successful');
      console.log(r);
      
      this._settings.authorization = {
        access_token: r.accessToken,
        access_token_expiration: r.expiresOn,
        access_token_decoded:undefined,
        refresh_token: undefined,
        token_type:r.tokenType,
        refresh_token_expiration: undefined,            
        refresh_token_decoded:undefined
      };

      this.redirectAfterLogin();

    },
    error: (error) => {
      console.error(error)
    }
  });
 }

The app crashes when trying to assign the refresh token, because it's calling jwt_decode on an undefined value. I can see in the network traffic that the refresh token is being sent, but how can I access it from this MSAL AuthenticationResult?

Answer 1

The refresh token is hidden in the MSAL token cache, and you can't access it from MSAL AuthenticationResult.

This is by design - in MSAL you aren't intended to access the refresh token yourself. It caches all of the token data in memory (or somewhere else if you configure this). The intention is that you use the MSAL API to retrieve the access token from its cache whenever you need it, and if it needs to be refreshed MSAL will automatically do that for you.

This documentation discusses how to get the tokens from the cache with MSAL for .NET.

If you are interested, this github issue has some discussion for .NET, and this answer about MSAL for Node.js might be interesting to read, although the implementation will be different for you.