How to get a refresh token with oauth in microsoft365?
I am trying to use microsoft365 and oauth to get an access and refresh token. According to Microsoft 365 docs, we need to use the "offline_access" scope to get a refresh token along with access token. However, The response I am getting does not contain a refresh token.
Here is the code I used:
url = "https://login.microsoftonline.com/{}/oauth2/v2.0/token".format(tenant_id)
headers = {
"Content-Type": "application/x-www-form-urlencoded",
}
data = {
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials",
"scope": "https://graph.microsoft.com/.default offline_access",
}
response = requests.post(url, headers=headers, data=data)
The response contains the access token like usual, but does not contain the refresh token despite using the offline_access scope. Could someone kindly tell me what the issue is?
I agree with @junnas Client Credential Flow doesn’t return refresh token as user interaction is not present.
I tried to reproduce the same in my environment and got the results like below:
To get the refresh token, you need to choose user interactive flows such as Auth-Code Flow.
I created an Azure AD Application and added API permissions like below:
I generated auth-code using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default offline_access
&state=12345
I generated the access token and refresh token using below parameters:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default offline_access
grant_type:authorization_code
redirect_uri:redirectURi
code:code
By using the above generated refresh token, I refreshed the access token successfully like below:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:refresh_token
refresh_token:xxx
client_secret:xxx
- Implementing OIDC with Authorization Code Flow on API Gateway using Keycloak as SSO provider
- Spring Cloud Gateway Getting a 500 Exception while trying to refresh_token using expired access_token and refresh_token
- Microsoft Entra ID Oauth2 Client Credentials and Group claims
- JWT refresh token flow
- AADSTS70000 Error When Requesting for Access Token
- Avoid instantiating multiple objects ReactJS + Vite
- ZOHO CRM Not getting refresh token in response
- FastAPI OAuth2 with ForgeRock: SSL Certificate Verification Issue
- How to authorize OpenAPI/Swagger UI page in FastAPI?
- Identity Server 4 - Unable to authenticate user
- How to verify a token received from chrome.identity.getAuthToken() in the backend?
- Getting no access_token but id_token from Google OAuth2
- Need admin approval unverified needs permission to access resources in your organisation that only an admin can grant
- Getting a token from Microsoft Intra ID with PostMan using MFA
- Freshdesk OAuth SSO: Freshdesk Login Page Doesn't Ping My Auth Page?
- Azure OAuth2: can't validate access token
- Export a Google Sheet to PDF file with Python requests
- Are auth code and access token exclusive to a single resource owner?
- How to access an API with an Azure identity provider from a Python notebook?
- Unauthorized to Delete Tweet with OAuth2.0 path on free-tier developer account
- Argument of type "github" is not assignable to parameter of type 'OAuthProvider' in Appwrite
- How to authenticate resource owner with JWT token on Spring Authorization Server for requests to /oauth2/authorize?
- Headless OAuth2 Token Refresh Fails with Spring boot and MSAL4J
- Springboot Keycloak Admin add role or reset password error
- request to token url returning 400 bad request for google oauth2?
- Spring Boot Oauth Client & Authorization Server + React implementation
- Dotnet-Isolated Azure Functions - how to access HttpContext
- Enabling and Configuring Password History on Cognito
- Where to store the refresh token on the Client?
- Keycloak-Remix integration: where should I place the checks?