Refresh Token with Microsoft Graph claims it is expired even when being used

2
votes

I am accessing Microsoft Graph on the behalf of other users who have authenticated with OAuth2. Things were running fine, but after 90 days, I get the "AADSTS70008: The refresh token has expired due to inactivity."

But, it should not have been inactive. Resource for the users are accessed multiple times daily, and when the Access Token expires, the Refresh Token is used to get a new one. Which works just as expected.

If using the Refresh Token to acquire a new Access Token is not "activity" for the Refresh Token, then what is?

1
microsoft-graph-api

1 Answers

1
votes

According to the documentation, a Refresh Token will automatically expire if the user hasn't entered their credentials for 90 days:

A single refresh token is valid for a maximum of 14 days. However, the refresh token might become invalid at any time for various reasons, so your app should continue to try to use a refresh token until it fails, or until your app replaces it with a new refresh token. A refresh token also becomes invalid if it has been 90 days since the user has entered their credentials.

UPDATE:

It was recently changed to until-revoked. You can read about the change here