We have implemented authentication as specified in the C# Teams Sample.Once the access_token expires we have to re-prompt the user to login.
Currently, the access_token expires in 1 hour.
Scopes:
https://graph.microsoft.com/User.Read
openid
Mail.Send
Sites.Read.All
When we request refresh token per the documentation, it gives an access denied error.
Is there a way to refresh the token instead of prompting the user to login again?
If you are using implicit grant after the token has been expired you should login again there will be no other option to get the access token.
If you use code grant then you will get RefreshToken along with AccessToken you can update get the new AccessToken using the RefreshToken. Please follow the link for Code grant implementation
Related
I am trying to request the Directory.Read.All scope using Microsoft's MSAL library & retrieve a valid access/refresh token pair with the acquire_token_by_authorization_code function.
I ask an organization's admin to consent to the above application permission with the /adminconsent endpoint (and have confirmed that permissions have been granted - see screenshot below). However, when trying to retrieve an access token with the Directory.Read.All scope, I get the following error:
{'error': 'invalid_grant', 'error_description': "AADSTS65001: The user or administrator has not consented to use the application with ID 'XXX' named 'XXX'. Send an interactive authorization request for this user and resource [...]'suberror': 'consent_required'}
Not exactly sure how this can be the case - as the permission is clearly granted. I have tried resetting the token cache by removing all MSAL accounts, but doubt this is the root of the issue, as the actual step that fails is converting an authorization code to access token.
Thanks for any help!
I can reproduce your error:
If you use the auth code flow to obtain an access token, you should grant delegated permissions, because this is a authorization flow with user interaction, so try to grant Directory.Read.All delegated permissions, and then grant admin consent for the permissions.
I am getting access token and then calling MS graph API , however i am not getting any API for revoking the access token /refresh token generated for specific account(used on behalf of user authorization flow).
Used the azure AD logout API which redirects to the logout URL but not exactly logging out of Office 365 account and can still able to generate the new access token using refresh token after logout. This should not happen.
Please suggest some solution.
It seems like your only option is here cmdlet Revoke-AzureADUserAllRefreshToken.
https://learn.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken?view=azureadps-2.0
Your case is also described in the Office 365 scope over here: https://www.michev.info/Blog/Post/1137/immediately-revoke-access-to-office-365-applications
We are using IdentityServer4 and have an issue on using refresh token.
Here is my client configs:
Grant Types:
client_credentials
hybrid
Access token lifetime:
60
Identity token lifetime:
900
Absolute refresh token lifetime:
240
Sliding refresh token lifetime:
60
Refresh token usage:
OneTimeOnly
Refresh token expiration:
Absolute
I am checking access token life time and when it is about to be expired I use refresh token to get new access token. After 240 second the access token life time does not extension and my client goes to Identity Server and it issues new set of tokens for my client.
I want my user enter username/password after expiration the refresh token buy Identity Server issue new tokens instead of asking credential.
Any Idea?
If I'm understanding correctly you want to force the user to interactively authenticate from your client? If so the max_age=n or prompt=login authorize endpoint parameters can be used to trigger that flow and then you can validate the auth_time claim within your client to ensure it's recent enough.
Currently this is happening without prompting because the user still has a valid IDP session via the authentication cookie. I'd recommend using the above method over and above setting the IDP session to be aligned with your client application session lifetime.
In my AD B2C application, i need to revoke the all refresh tokens given by AD B2C for a user. This is a requirement to implement as when user account is logged in multiple apps and in one app user changed the password. When password is changed, i have revoke all of his refresh tokens given to other apps.
How to do that?
Update:
I have tried following,
B2C -Get Token By Policy
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
B2C -Get Token By Policy - Revoke using GA account
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/authorize
https://login.microsoftonline.com/te/tenantname.onmicrosoft.com/b2c_1a_policyname/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
B2C -Get Token Without Poicy
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
and client credential flow(a application registered in AD blade of Ad B2C tenant and given access to graph api)
d)Above token revoke api call is successful and tried step (b).
e)Not able to get new tokens from step(b)
B2C -Get Token Without Poicy - Revoke using GA account
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/authorize
https://login.microsoftonline.com/tenantname.onmicrosoft.com/oauth2/v2.0/token
a)Got access token and refresh token using ad b2c user account(created directly through tenant not from sign up policy).
b)Try to get new access and refresh token by using token end point and grant_type refresh_token -> able to get token
c)Revoked the token using https://graph.windows.net/myorganization/users/xxxxx-userObjectID-xxxx/invalidateAllRefreshTokens?api-version=1.6
It is done by logged into graph api explorer using GA account created directly in tenant.
d)Above token revoke api call is successful and tried step (b).
e)still able to get new tokens from step(b)
Basically not able to revoke the token created from b2c policy workflow.
Solution:
Refresh token revoke graph api is working. But it takes around 5 mins to do that.
But Problem here is in between waiting period, i am able to get new refresh token and access token and those new refresh tokens are working even after revocation. Which means Azure AD considered the requested time of refresh token revoke api call and revokes all refresh tokens issued before that time.
So how to avoid that?
When new access token is requested with offline scope using existing refresh token, why does Azure AD provide new refresh token even though existing refresh token has validity time.?
You can invalidate all of the refresh tokens for a specific user using the Azure AD Graph API:
POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version=1.6
Is it possible to get refresh token also in the admin consent flow?
I've received access_token but not refresh_token even though I've included the offline_access permission in the delegated permissions.
to be more clear: I need to get to the users drive files (i.e get/update files) of the entire tenant (organization). therefore i'm requesting Application Permissions and Using the admin consent endpoint.
therefore I use the client_credentials grant in order to get the entire tenant access_token but unfortunately with no refresh_token in order to extend time of privileges of the tenant for more then 1 hour.
if i misuse the protocols above clarification will be highly appreciated
While Marc's answer is correct, I think the whole thing can be explained in a little more detail:
To get full access to a tenant (i.e. not just resources associated with the current consenting user), then you need to use the Admin Consent flow. However, unlike other flows in Graph's OAuth, you do not require a refresh_token to maintain access. Instead, you can simply request an access_token at any time once an admin has consented. Each access_token lasts 60 minutes.
Having first used other flows such as the Management API and Graph's Code Grant flow, this one confused me, but it's actually even simpler than those.
To get consent, simply direct the admin to the following URL:
https://login.microsoftonline.com/[Their Tenant ID]/adminconsent?client_id=[Your Client ID]&redirect_uri=[Your Redirect URI]
Your redirect URI will get a response with params:
?admin_consent=True&tenant=[Their Tenant ID]
Once you've received this confirmation, you can request an access_token at any time by sending a POST request with the following form fields:
client_id: [Your Client ID],
client_secret: [Your Client Secret],
scope: 'https://graph.microsoft.com/.default',
grant_type: 'client_credentials'
To the following URI:
https://login.microsoftonline.com/[Their Tenant ID]/oauth2/v2.0/token
The response will contain a new 60 minute access_token and you can simply call it again whenever required.
Refresh Tokens are only returned when both offline_access is requested and you are using the Authorization Code Grant.
More importantly, if you are receiving an access_token then you are not executing the Admin Consent workflow. Administrative Consent is only used for consenting to your application's scopes. The Admin Consent response does not contain an access_token, it only contains the Tenant ID (for the tenant that was consented) and a boolean that tells you if consent was granted as query parameters:
http://{return_uri}/?tenant=[tenant id]&admin_consent=[True/False]
If you are receiving an access_token then you are using either the Authorization Code, Client Credentials, or Implicit grants.
UPDATE:
There is no refresh token issued for Client Credentials, you simply request a new token from the /token endpoint as needed.