Requesting Azure App Service authentication refresh tokens

0
votes

I struggle with getting the refresh tokens to work for certain authentication providers in Azure App Service using a Mobile App. CGillum has written a great post (http://cgillum.tech/2016/03/07/app-service-token-store/) on this and when following that post I get the refresh method to work like a charm for Microsoft Accounts but I struggle with refreshing the access tokens for Facebook and Google. Our application (Xamarin Forms) is using Microsoft Account, Google and Facebook as authentication providers. With your instructions in the post it works like a charm for Microsoft Account.

For Google when setting the access_mode=offline in the LoginAsync I still are unable to refresh my access tokens and getting an error in the streaming logs from Azure that point to where the problem lies but I cannot understand what to do. For Facebook I get the same kind of error in the logs but I do not know how to request the offline access so here the problem is more of 'how do I request offline access for Facebook'.

The error is as follows: Logging in with Google renders the following log entries (removed some details....)

2016-03-29T14:45:12 PID[5536] Verbose Received request: GET https://nnn.azurewebsites.net/.auth/login/google?access_mode=offline 2016-03-29T14:45:12 PID[5536] Information Redirecting: https://accounts.google.com/o/oauth2/v2/auth?response_type............ 2016-03-29T14:45:38 PID[5536] Verbose Received request: GET https://nnn.azurewebsites.net/.auth/login/google/callback?state=nonce%3Dfd....... 2016-03-29T14:45:38 PID[5536] Verbose Calling into external HTTP endpoint POST https://www.googleapis.com/oauth2/v4/token. 2016-03-29T14:45:38 PID[5536] Information Login completed for 'nnn@nnn.com'. Provider: 'google'. 2016-03-29T14:45:38 PID[5536] Verbose Writing 'AppServiceAuthSession' cookie for site 'nnn.azurewebsites.net'. Length: 664. 2016-03-29T14:45:38 PID[5536] Information Redirecting: https://nnn.azurewebsites.net/.auth/login/done#token=%7B%22authenticationToken%22%3A %22eyJ0e........ 2016-03-29T14:45:39 PID[5536] Verbose Received request: GET https://nnn.azurewebsites.net/.auth/login/done 2016-03-29T14:45:39 PID[5536] Information Sending response: 200.0 OK

Then when trying to call the refresh method the following is written in the logs:

2016-03-29T14:53:14 PID[5536] Verbose Received request: GET https://nnn.azurewebsites.net/.auth/refresh 2016-03-29T14:53:14 PID[5536] Verbose JWT validation succeeded. Subject: 'sid:cc7e265f97060b2b067367d1ee02d808', Issuer: 'https://nnn.azurewebsites.net/'. 2016-03-29T14:53:14 PID[5536] Warning The refresh request issued by sid:cc7e265f97060b2b067367d1ee02d808 (SID: 37776b6cabedf8ff38df56de2e5db739) failed because no refresh tokens were found in the token store. 2016-03-29T14:53:14 PID[5536] Information Sending response: 400.80 Bad Request

The token store is enabled for the service and is works perfect for Microsoft Accounts. Does anyone have any clue here to what goes wrong and what to do in order to get refresh for access tokens using Google going?

How to enable refresh tokens for Facebook?

The code used for refreshing the access token and thus producing the output in the Azure logs above is:

    public async Task<bool> RefreshAccessToken()
    {
        // http://cgillum.tech/2016/03/07/app-service-token-store/
        // Calling /.auth/refresh will update the tokens in the token store
        // and will also return a new mobile authentication token.
        JObject refreshJson = (JObject)await App.m_azureMSClient.InvokeApiAsync("/.auth/refresh", HttpMethod.Get, null);

        string newToken = refreshJson["authenticationToken"].Value<string>();
        App.m_azureMSClient.CurrentUser.MobileServiceAuthenticationToken = newToken;
        App.Current.Properties[App.m_propNameAuthToken] = newToken; // persist it

        return true;
    }
1
azureauthenticationazure-web-app-service
Can you please add the code you are using? Thanks!cramopy
I suggest asking two separate questions instead of combining them into one: one for obtaining Google refresh tokens and one for whether it's possible to refresh Facebook tokens.Chris Gillum
I am getting this same error with a service using Microsoft accounts. Is there any special config required on the client / aad / service to enable refresh tokens?user381624
For Microsoft Accounts (not AAD) you need to enable the wl.offline_access scope in the Microsoft Account Authentication Settings for your Azure Mobile App (or the kind of app you have), this setting will enable the refresh tokens.Hasse

1 Answers

0
votes

Token Refresh for Facebook is not supported in App Service. The tokens last for 60 days, however, so there is less of a need for this capability since you can require the user to log in interactively once every 60 days (and it should succeed immediately in most cases).

If you strongly need to be able to refresh Facebook tokens, another option you have is to use the Facebook SDK, which automatically handles refresh for you. More information here: https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension. In this case, you can login again using the non-interactive login of mobile apps (also known as client-directed login) in order to get up-to-date authentication tokens for calling your APIs.

EDIT: Regarding Google, it looks like your query string may be wrong. Try access_type=offline. It looks like you are specifying access_mode=offline, which is not correct.