I am adding Microsoft OneDrive support to a product that my employer sells to other companies. When I went through my designing and prototyping stage, I was using an application ID that waw obtained through an application registration that I did using my personal account. Now, I'm working on actually adding the code into our product and am using an application ID that was obtained through an application registration that was done (by someone else) through our corporate Office365 account.
I am experiencing a difference in the results of the authentication queries between these two application registrations. I'm trying to track down the cause and I'm hoping someone here can help.
When I used the registration from my personal account, I was receiving all the data items from the /token
url that were documented in the Microsoft online documentation. When I switched over to use the registration from our corporate account, changing nothing in the code except the application ID, I do not get the refresh_token
value. I was using the same login credentials for both tests.
Here's the information when using my personal registration:
Url: https://login.microsoftonline.com/common/oauth2/v2.0/token
Request Body: grant_type=authorization_code&client_id={XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}&code=XXXXXXXXXXXXXX...XXXXXXXXXXXXXXXX
Request Response:
{
"token_type":"Bearer",
"scope":"https://graph.microsoft.com/files.readwrite.all",
"expires_in":3599,
"ext_expires_in":0,
"access_token":"XXXXXXXXXXXXXX...XXXXXXXXXXXXXXXX",
"refresh_token":"XXXXXXXXXXXXXX...XXXXXXXXXXXXXXXX"
}
Here's the information when using our corporate registration:
Url: https://login.microsoftonline.com/common/oauth2/v2.0/token
Request Body: grant_type=authorization_code&client_id={YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}&code=YYYYYYYYYYYYYY...YYYYYYYYYYYYYYY
Request Response:
{
"token_type":"Bearer",
"scope":"https://graph.microsoft.com/files.readwrite.all",
"expires_in":3599,
"ext_expires_in":0,
"access_token":"YYYYYYYYYYYYYY...YYYYYYYYYYYYYYY"
}
Other than the values for client_id
and code
, the only thing that is different is the application registration (one using a personal account and the other using a corporate Office365 account). What could be the cause of this? Is there something missing from the registration through our corporate account?
I don't have permissions to view the corporate registration, so I can't compare what they put it versus what I had in my personal registration. I gave them all the pertinent information, but I don't know if they did everything I asked.
The Microsoft documentation is quite unclear. Their online services have gone through many iterations and this results in quite a bit of residual data lying around. When I revoked access to both applications from within Office365 and re-authenticated both of them from scratch, both calls were absent the refresh_token
value in the response from the /token
call.
I managed to put together the pieces from the Microsoft and OpenID documentation to find the answer. In the initial authorization request, the call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize
, adding offline_access
to the scope
query string parameter resolved the issue.
Nothing needs to be added or changed on the app registration side. When this new scope is added, the user will also be shown that the application is requesting access to the data offline. This sequence of steps turns on the return of the refresh_token
value. Why it was there in the first place, without specifying offline_access
still remains a mystery.