0

There is an option to get access_token and refresh_token by adding a offline_access scope. We can also sent requests to get always with the syntax

https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&
refresh_token=[REFRESH TOKEN]&
client_id=[APPLICATION ID]&
client_secret=[PASSWORD]&
scope=[SCOPE]&
redirect_uri=[REDIRECT URI]

but Enterprise application does not allow to create Client Secret. Is there any other way to keep alive my access token with or without PowerShell?

I am trying to keep my connection alive but unable to do.

Manoj Dwivedi
  • 25
  • 3
  • Could you give some context, i.e. what are you doing in general, could be helpful to understand what you are asking. In general, the purpose of password (client secret) is to keep the access secure. – Nikolay Jan 21 '23 at 16:01
  • Thanks Nikolay for your comment. Actually, we are developing a web application and would like to grant admin consent from the user end. After getting access token we would like to keep this live so that scheduled tasks does not interrupt. – Manoj Dwivedi Jan 21 '23 at 16:50
  • If it is a web application, then there should be no problem to have the client secret server side, or? When the user who is admin logs in, he should see a checkbox to consent for all users in the the organization. Also, If you are creating in-house application should not be a problem at all? – Nikolay Jan 21 '23 at 18:48
  • If you are doing that from the client side, then maybe you are talking about delegated permissions. Delegated permission only works in interactive scenarios (the user will be asked to log in again at some point anyway, *even with refresh token*, i.e. refresh token expires too), for the security reasons. If you want app-level permissions (to perform unattended tasks) then you have to ask the organization admin to grant them to your app explicitly, as far as I know. – Nikolay Jan 22 '23 at 11:33

1 Answers1

1

Without including client secret, you cannot refresh the access tokens

I tried to reproduce the same in my environment and got below results:

I got refresh token by giving offline_access in scope like below:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:appID
client_secret:secret
grant_type:authorization_code
scope:offline_access user.read
code:code
redirect_uri:https://jwt.ms

enter image description here

When I tried to get access token using above refresh token without giving client secret, I got error like below:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

redirect_uri: https://jwt.ms
client_id:appID
grant_type:refresh_token
refresh_token: <refresh token>
scope: https://graph.microsoft.com/.default

Response:

enter image description here

To get access token using refresh token, you must include client_secret like below:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

redirect_uri:https://jwt.ms
client_id:appID
client_secret: secret
grant_type:refresh_token
refresh_token: <refresh token>
scope: https://graph.microsoft.com/.default

enter image description here

Alternatively, you can make use of below PowerShell script to create token lifetime policy that can keep access token alive for 24 hrs.

$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"23:59:59"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id

Response:

enter image description here

When I generated access token again, token lifetime increased like below:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:appID
client_secret:secret
grant_type:authorization_code
scope:offline_access user.read
code:code
redirect_uri:https://jwt.ms

Response:

enter image description here

Reference:
Configurable token lifetimes - Microsoft

SiddheshDesai
  • 3,668
  • 1
  • 2
  • 11
  • Thank you for giving your valuable time to answer my question. I understand that this is not possible to get refresh token without client secret. But I am using 'Grant tenant-wide admin consent to an application' as shown in below link and it create an Enterprise App that does allow to create Client secret. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=ms-graph – Manoj Dwivedi Jan 25 '23 at 11:29
  • Granting tenant wide admin consent will allow your application to be accessed by other user's or service principal, Just by calling the app if its multi tenant or if its single tenant any user or service principal can access that application. It has nothing to do with client secret, Client secret is used to authenticate the Application to get the access token – SiddheshDesai Feb 02 '23 at 10:55