Office 365 vs. Outlook OAuth2 offline_access inconsistencies with refresh_token requests

1
votes

I am developing a web app that is supposed to access contact and other information for users with their Outlook or Office 365 accounts and I am having some issues with offline_access to Office365 accounts.

Upon initial authentication the code works fine and I am able to access all I need for both Outlook and Office 365 accounts.

The inconsistency shows up after the initial access token had expired. For Outlook accounts I can always refresh the access token, while for Office 365 accounts the exact same code fails with "400 Bad Request" error.

It feels like there should be something different done for the Office 365 accounts when refreshing access toke but I cannot figure out what.... I am not even sure how to tell if the users have used Otlook vs. Office 365 account I can figure this out later.

The authority URL I use is https://login.microsoftonline.com/common/oauth2/v2.0/token and I thought that perhaps it should be different for Outlook and Office 365 but everything else appears to be working for both account types except for the refresh_token request.

Appreciate your help! Thanks!

1
oauth-2.0outlook-restapioffice365-restapi
Can you post an example refresh request? Maybe we can spot what's wrong.Jason Johnston
Well, thank you! Now I feel stupid but I have solved the problem. It turned out the redirect_url sent in the refresh request did not include the my host name. ... The funny thing is that for the outlook.com accounts this does not appear to matter at all while for the Office365 account it was a problem. Weird....Jeff Kanazi
Ah ok, yes it's best to include the entire URL there :). You should post that as the answer.Jason Johnston

1 Answers

0
votes

This is weird but the solution to the problem is in making sure the redirect_url parameter used in the refresh token request matches exactly the registered redirect url including the host name.

Amazingly this is true only for Office 365 accounts and only for refresh token requests. It looks like all other APIs for both Outlook and Office 365 accounts do not care about the supplied redirect URL and use whatever was registered for the app instead.