How to refresh a token for Microsoft Graph

问题

I'm connecting to the Microsoft Graph using:

public GraphServiceClient GetAuthenticatedClient(string token)
{
    GraphServiceClient graphClient = new GraphServiceClient(
        new DelegateAuthenticationProvider(
            async (requestMessage) =>
            {
                // Append the access token to the request.
                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", token);
            }));
    return graphClient;
}

I'm running this code on the server. The token I'm using is being sent to me by an external App.

Everything works great during the first hour, then the token expires.

My question is : How can I get a new token, since I also have access to the refresh token?

回答1:

There are two pieces required to enable Refresh Tokens:

1. You need to request the scope offline_access. This tells the endpoint to provide a refresh_token alongside the access_token and associated metadata.

2. You need to request a new access_token (and refresh_token as they come together) by repeating the same POST to /common/oauth2/v2.0/token with a slightly different body - grant_type is set to refresh_token and instead of a code, you supply a refresh_token property and value:

   https://login.microsoftonline.com/common/oauth2/v2.0/token
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=refresh_token&
   refresh_token=[REFRESH TOKEN]&
   client_id=[APPLICATION ID]&
   client_secret=[PASSWORD]&
   scope=[SCOPE]&
   redirect_uri=[REDIRECT URI]
   

A while back I wrote up a show primer on the v2 Endpoint that you might find helpful as well.

回答2:

There is a way to do this, but it is only recommended for ADAL.NET 2.x to MSAL.NET 2.x migration scenarios, which is outlined here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Adal-to-Msal

Only for client credentials (not auth code).

回答3:

This helped me, when i was not having refreshToken https://docs.microsoft.com/en-gb/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

POST /oauth2/v2.0/token HTTP/1.1 Host: login.microsoftonline.com 
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer  
&client_id=2846f71b-a7a4-4987-bab3-760f389 
&client_secret=BYyVnAt56JpLwUcyo47XODd 
&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs...pa970UvdVfQ 
&scope=https://graph.microsoft.com/user.read+offline_access 
&requested_token_use=on_behalf_of

sample response:

{
    "token_type": "Bearer",
    "scope": "User.Read Mail.Read Mail.Send Calendars.Read",
    "expires_in": 3600,
    "ext_expires_in": 3600,
    "access_token": "EwCAA8l6BAAUO9chh8cJscQLmU+LSWpbnr0v...ZgNcrJkgI=",
    "refresh_token": "MCS3KUzqyCY6rQH*NXLSLQctqj47w...x3Oa4r"
}

回答4:

The correct way to architect this would be to have the external application which provided you the access token to send you a new non expired access token periodically. You should be able to use that access token to perform necessary actions against Microsoft Graph. If the external client application is making service requests, then it should embed a valid non expired access token with every request which you may use.

The refresh token is not intended to be passed along to other applications. Doing so opens up a security vulnerability. Your external application should ideally stop sending over the refresh token.

The other option would be to have your application added as a registered client to Microsoft Graph and then authenticate to it directly. Then you could exchange your own refresh token to get new tokens whenever they expire.

来源：https://stackoverflow.com/questions/51153055/how-to-refresh-a-token-for-microsoft-graph