Get a refresh token of an SPA application using Microsoft Entra(Azure AD)
I have registered an application in Microsoft Entra as an SPA multitanent application with the permissions as Files.ReadWrite,offline_access and User.Read.
I use MSAL library in my frontend .I am able to get access token with loginPopup method provided by the library.
const microsoftLogin=async ()=>
{
const loginResponse=await instance.loginPopup(loginRequest).catch((e) => {
console.log(e);
});
console.log(JSON.stringify(loginResponse));
}
Now I also need to get refreshToken so that I can use it to get a new access token any later point in time. The method doesn't provide any authCode or refreshToken in the response. I am retrieving access token via sessionStorage where Microsoft saves values with the key as
UNIQUEID+"."+loginResponse.tenantId+"-login.windows.net-refreshtoken-"+MICROSOFT_CLIENT_ID+"----"
However I am not able to get accessToken with that as well. I tried the api via postman.I don't have client secret.
What do I need to do in order to get refresh_token, get access token via refresh_token via SPA configured application. Do I need to change anything in my Entra Application?
The error "AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests" usually occurs if you are not passing origin as header in the request.
To generate access and refresh token for SPA application, check the below:
Created a Microsoft Entra ID application and configured redirect URL as SPA:
Used the below endpoint to sign in user and generate code:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
response_type=code
&client_id=ClientID
&scope=Files.ReadWrite offline_access User.Read
&redirect_uri=https://jwt.ms
&code_challenge=XXX
&code_challenge_method=S256
Generated access and refresh tokens by passing below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id : ClientID
grant_type : authorization_code
code : code
redirect_uri : https://jwt.ms
code_verifier : S256
scope : Files.ReadWrite offline_access User.Read
Make sure to pass origin header (Value is redirect URL):
To refresh the access token, make use of below parameters:
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:appID
grant_type:refresh_token
refresh_token: xxx //paste the refresh token that you got above
Make sure to pass origin header (Value is redirect URL):
I am able to successfully refresh the access token:
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?