0

I have a requirement, where App1 does the authentication with Azure B2C, and passes "RefreshToken" to App2, App2 needs to acquire Access and Id tokens using only that refresh token. The purpose of App2 is to generate cookies that gets generated when using msal lib.

I see msal library has a method "acquireTokenSilent" but this method fetches refreshtoken behind the scenes (using cookies etc), but App2 doesn't have any information other than "RefreshToken" that is passed to it.

Is this possible to achieve, I called /token endpoint using postman and was able to acquire tokens by passing refresh_token. I am wondering if there's an equivalent method in msal library. TIA

Ali
  • 11
  • 1
  • MSAL.js does not expose the refresh token, and even if you did manage to acquire an RT for app1 it should not be used by anything other than app1, and in fact would not be valid for app2. Can you tell me a little bit more about App2? Why does it need to be provided with a refresh token? – Thomas Norling Oct 11 '22 at 19:12
  • App1 has interacted with Azure B2C using API calls to retrieve tokens (as part of SSO from federated identity). Since the login never called interactive flow (webviews), no client side cookies were created. When a user gets redirected from App1 to App2, and no local storage is found, user gets redirected to login page. We need to avoid this login page and generate those cookies using the refresh token. – Ali Oct 11 '22 at 19:55
  • If App1 is signing in with SSO why can't App2 do the same? You should be able to silently sign in App2 without needing the refresh token. – Thomas Norling Oct 12 '22 at 20:08

1 Answers1

0

First, the direct answer to this question:

I called /token endpoint using postman and was able to acquire tokens by passing refresh_token. I am wondering if there's an equivalent method in msal library. TIA

The answer is no - manually making an http request to that endpoint is the correct way to acquire tokens if you want to get the refresh_token and handle everything manually.

Here are some resources that may be helpful if you want to read about this:

  • Microsoft Identity Platform OAuth 2.0 Authorization Code flow
    • "This article describes low-level protocol details usually required only when manually crafting and issuing raw HTTP requests to execute the flow, which we do not recommend. Instead, use a Microsoft-built and supported authentication library to get security tokens and call protected web APIs in your apps."
  • Microsoft Identity Platform OAuth 2.0/OIDC
    • "We strongly advise against crafting your own library or raw HTTP calls to execute authentication flows. A Microsoft Authentication Library is safer and easier. However, if your scenario prevents you from using our libraries or you'd just like to learn more about the identity platform's implementation, we have protocol reference"

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols

So in summary, you can implement your own solution to manually request tokens and then you have full control over how you handle those tokens - but Microsoft really wants you to use MSAL.

For your problem it really comes down to an issue of token storage. MSAL works by keeping its own token cache, and then you use the MSAL api to retrieve access tokens from it as needed. The refresh token is never exposed to you, but the library will refresh the access token behind the scenes if it needs to.

It sounds like you have a somewhat unique setup with your two applications, which is hard to give advice on without knowing more details. If you can find a token cache solution that works for you, then go ahead with MSAL. Otherwise, you need to just make those token requests manually and handle the tokens yourself.

I would start here and then continue on to the token cache documentation that is specific for your use case.

Datguy
  • 61
  • 7