MSGraph invalid refresh token due to inactivity

2
votes

We are integrating on our application the Office 365 functionality throught MSGraph rest api and we are currently getting trouble with the validation of Refresh Tokens, this is the response error code from the server on a invalid petition:

"error":"invalid_grant","error_description":"AADSTS70002: Error validating credentials. AADSTS70008: The refresh token has expired due to inactivity.??The token was issued on 2016-04-27T11:44:49.4826901Z and was inactive for 14.00:00:00.

This is annoying because we need the users to aquire their credentials again logging in on Microsoft servers.

Is there any option to avoid Refresh token being invalidated due to inactivity? Or to make longer this expiration?

2
refreshtokenoffice365microsoft-graph-api

2 Answers

3
votes

Refresh tokens have a finite lifetime. If a new token (and refresh token) isn't requested before that time they will expire. Once this happens the user must re-authenticate.

If you need to have perpetual access to the account, you will need to manually refresh the token periodically. You may want to look at this article. It covers the basics of how v2 Endpoint works (and the various token lifetimes).

In most of my implementations I use a queue to handling refreshing tokens. I queue each token to be refreshed at 10 days. If it fails I resubmit to the queue. If it is still failing at day 12 I email the user to inform them there was an issue and they will need to re-authenticate.

UPDATE

Refresh token lifetime was recently changed to until-revoked. You can read about the change here

1
votes

This is general OAuth (not AAD-specific): obtaining an access token is a 2-step process. The first step is to obtain an auth code which requires the user to authenticate. The second step is to redeem an access token and a refresh token from the auth code. This second step is purely programmatic, i.e. the user need not be present. The app can keep repeating the second step, i.e. redeeming a new access token and a new refresh token from the latest refresh token without the user even know about it.

Your app should schedule frequent 'refreshes' of the refresh token. You can do this at any time while the app is running.

If the user doesn't use the app for an extended period of time, like about 2 weeks (I believe), the refresh token would naturally expire. If you want to avoid that, you'll have to schedule a dedicated job to refresh the token.

Zlatko