locked
How do we get the Bearer access_token when calling refresh_token RRS feed

  • Question

  • User430178104 posted

    Hi, As my Bearer access_token has expired i am trying to get the new Bearer access_token. but the Azure service is giving only id_token and refresh_token Not access_token. May i know how can i get the Bearer access_token.

    Here is my request and response

    Url: POST https://login.microsoftonline.com/*****/oauth2/v2.0/token

    Request

    { 
    client_id: '******',
    redirect_uri: 'http://localhost:.....',
    grant_type: 'refresh_token',
    client_secret: '****',
    refresh_token: '*******' 
    }

    Response:

    {  
    "refresh_token": "*****",
    "id_token": "****"
    }

    Monday, May 14, 2018 1:19 PM

Answers

  • User1724605321 posted

    Hi pathipati ,

    Scope is required when refresh the access token using Azure AD V2.0:

    // Line breaks for legibility only
    
    POST /{tenant}/oauth2/v2.0/token HTTP/1.1
    Host: https://login.microsoftonline.com
    Content-Type: application/x-www-form-urlencoded
    
    client_id=6731de76-14a6-49ae-97bc-6eba6914391e
    &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
    &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
    &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
    &grant_type=refresh_token
    &client_secret=JqQX2PNo9bpM0uEihUPzyrh      // NOTE: Only required for web apps
    scope required A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the v2.0 endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to permissions, consent, and scopes.

    Please refer to below link for more details :

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code#refresh-the-access-token 

    Best Regards,

    Nan Yu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 15, 2018 6:36 AM

All replies

  • User1724605321 posted

    Hi pathipati ,

    Scope is required when refresh the access token using Azure AD V2.0:

    // Line breaks for legibility only
    
    POST /{tenant}/oauth2/v2.0/token HTTP/1.1
    Host: https://login.microsoftonline.com
    Content-Type: application/x-www-form-urlencoded
    
    client_id=6731de76-14a6-49ae-97bc-6eba6914391e
    &scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
    &refresh_token=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq...
    &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
    &grant_type=refresh_token
    &client_secret=JqQX2PNo9bpM0uEihUPzyrh      // NOTE: Only required for web apps
    scope required A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the v2.0 endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to permissions, consent, and scopes.

    Please refer to below link for more details :

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code#refresh-the-access-token 

    Best Regards,

    Nan Yu

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 15, 2018 6:36 AM
  • User430178104 posted

    Hi Nan Yu,

    Thanks for your response!

    Now i am passing the scope and then getting below error. may i know how to resolve this

    {  
    "error": "invalid_grant",   
    "error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID '......' named 'Test Localhost'. Send an interactive authorization request for this user and resource.\r\n
    Trace ID: c60f56b7-f0ab-494c-ac2d-cc8193a60a00\r\n
    Correlation ID: fc0fdcde-95d2-46ca-aaa5-edc71d7e61de\r\n
    Timestamp: 2018-05-15 11:11:36Z",
        
    "error_codes": [
            65001
        ],  
     "timestamp": "2018-05-15 11:11:36Z", 
      "trace_id": "c60f56b7-f0ab-494c-ac2d-cc8193a60a00", 
      "correlation_id": "fc0fdcde-95d2-46ca-aaa5-edc71d7e61de",  
     "suberror": "consent_required"
    }

    Tuesday, May 15, 2018 11:15 AM
  • User1724605321 posted

    Hi parhipati ,

    Do you set the same scopes as the authorize step? The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg . You should give consent in the first authorization_code request .

    Best Regards

    Nan Yu

    Wednesday, May 16, 2018 5:13 AM
  • User430178104 posted

    Hi Nan Yu,

    Thanks you very much for your quick response.

    I am passing "Scope = OpenIdConnectScope.OpenIdProfile," for Authorization in Startup class. may i know the related scope for this? so that i can pass the same scope for token and refresh token

    Wednesday, May 16, 2018 7:51 AM
  • User1724605321 posted

    Hi pathipat,

    You are using the OpenID Connect scopes ,  use profile scope so you can access includes, but is not limited to, the user's given name, surname, preferred username, and object ID in ID Token . There is no access token in your scenario :

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens 

    Best Regards,

    Nan Yu

    Wednesday, May 16, 2018 9:10 AM