Using Postman for the Authorisation Code Grant on Server 2016 (ADFS 4.0) is documented here.
Then someone asked me how to extend this to get a new access token using the refresh token.
Recall that the second part of the code grant is to send a code to the /token endpoint that returns an access token, a refresh token and an ID token.
To get a new access token, we use the same /token endpoint with the parameters above and the same refresh token that we received as described above.
This returns an access token and an ID token. It does not return another refresh token?
So back to the OAuth spec (RFC 6749) section:
6. Refreshing an Access Token
"If valid and authorized, the authorization server issues an access
token as described in Section 5.1. If the request failed
verification or is invalid, the authorization server returns an error
response as described in Section 5.2.
The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token.
The authorization server MAY revoke the old
refresh token after issuing a new refresh token to the client. If a
new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
request."
So that is correct.
Note that you can use this refresh token over and over again until it expires and each time you will get a new access token.
There's a good write-up here around configuring the refresh token timeouts etc.
It revolves around the PowerShell command:
Get-AdfsRelyingPartyTrust
Name : RP Name
IssueOAuthRefreshTokensTo : AllDevices
AlwaysRequireAuthentication : False
TokenLifetime : 960
Enjoy!
3 comments:
Nice writeup.
Do you know if there is still no way of refreshing a refresh token?
For long-running apps like mobile apps, having the user reauthenticate themselves every 24 hours is a bit of a pain. As far as I can tell, ADFS never issues an updated refresh token to keep going.
Any thoughts?
There's a thread here:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/7323360b-0e41-466b-9175-5d6c3991ce42/oauth-refresh-token-and-how-to-refresh-that?forum=ADFS
IS it the same for Outlook ADAL Enable clients. What is default value of Access token & refresh token ? I mean if outlook Authenticated once after how many day will it ask password again ?
Post a Comment