Microsoft Graph API - cannot refresh access token

0
votes

I have registered a multitenant app at https://apps.dev.microsoft.com since the "admin consent" prompt wasn't available in the Azure AD apps. Admin consent is required for our app to retrieve info about users and their calendars.

I can provide admin consent from a completely different tenant than what this app is registered from and use the provided access token to retrieve all necessary information, however that obviously expires after an hour and we need offline access.

I have tried using the tenantId instead of 'common' in the https://login.windows.net/common/oauth2/token endpoint, however receive the same message as below.

The following is the data being submitted to the token endpoint in json format (converted within node to form encoded format before submitting):

{ grant_type: 'refresh_token', client_id: 'e5c0d59d-b2c8-4916-99ac-3c06d942b3e3', client_secret: '(redacted)', refresh_token: '(redacted)', scope: 'openid offline_access calendars.read user.read.all' }

When I try to refresh the access token I receive an error:

{ "error":"invalid_grant", "error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'e5c0d59d-b2c8-4916-99ac-3c06d942b3e3'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 2bffaa08-8c56-4872-8f9c-985417402e00\r\nCorrelation ID: c7653601-bf96-46c3-b1ff-4857fb25b7dc\r\nTimestamp: 2017-03-22 02:17:13Z", "error_codes":[65001], "timestamp":"2017-03-22 02:17:13Z", "trace_id":"2bffaa08-8c56-4872-8f9c-985417402e00", "correlation_id":"c7653601-bf96-46c3-b1ff-4857fb25b7dc" }

This error occurs even when standard consent is used. I have also tried using the node-adal library instead of raw http requests which produces the exact same result.

I note that "offline_access" isn't a permission I am able to set within the MS apps portal, however I would guess the fact that I am getting a refresh token back means that I can refresh the access token?

For the record, the following is the node-adal code I used to see if I was doing something wrong:

var self = this;

var authenticationContext = new AuthenticationContext('https://login.windows.net/common');
authenticationContext.acquireTokenWithRefreshToken(
    self.refreshToken,
    self.clientId,
    self.clientSecret,
    'https://graph.microsoft.com/',
    function(a) {
        console.log(a);
    }
);

Any help in getting this refresh process working is appreciated!

1
node.jsazuregraphmicrosoft-graph-api

1 Answers

1
votes

Please ensure that the tenant that you using for refreshing token is same as the tenant that you requesting for the access_token.

The refresh token request works well for me unless in the scenario of below:

  1. register the app from protal using Microsoft account
  2. user1 is in tenant1
  3. add user1 as the external users to tenant2
  4. request the access_token/refresh_token from tenant1(OK)
  5. try to refresh the token using tenant1 in the request(OK)
  6. try to refresh the token using tenant2 in the request(same error message)