How to refresh an ID Token from Azure AD in a Web App?

6
votes

I'm trying to set up an Azure Web App to to authenticate with Azure AD and refresh ID Token behind the scenes automatically. A great blog post helped me understand how the whole thing works: https://cgillum.tech/2016/03/07/app-service-token-store/

And this guide linked from it helped me set it up: http://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/

It seems enabling refresh tokens for Azure AD authentication isn't that simple so as recommended I used the aforementioned guide to set it up as if it were for GraphApi.

The problem I'm having is even after calling the ".auth/refresh" endpoint and then calling the ".auth/me" endpoint, the only token which is refreshed is the Access Token. That token is of no use to me since I use the Id Token when communicating with my backend server (using an "Authorization Bearer" header).

So how do I get the Id Token to refresh as well?

1
azure-web-app-serviceazure-active-directory

1 Answers

7
votes

Unfortunately AAD does not support refreshing the ID token. Only the access token can be refreshed. See here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-oauth-code/#refreshing-the-access-tokens

But even if it could be refreshed, it's more correct to use an access token when authenticating with another service, so I suggest changing your apps to work this way. The claims on the access token and the id_token are very similar so it should not be a very disruptive change.