Get refresh token with Azure AD V2.0 (MSAL) and Asp .Net Core 2.0

Question

I\'ve got access_token from Azure Ad V2.0 endpoint to call Graph Api. But I have to do some actions in the api on behalf of user. So I need refresh_token to renew my access_

Answer 1

I got a bit topsy-turvy on this, as well. Explaining a bit more based on my understanding.

• For context, OAuth 2.0 code grant flow mentions the following steps:
  • authorization, which returns auth_code
  • using auth_code, to fetch access_token (usually valid for 1 hr) and refresh_token
  • access_token is used to gain access to relevant resources
  • after access_token expires, refresh_token is used to get new access_token
• MSAL.NET abstracts this concept of refresh_token via TokenCache.
  • There is an option to serialize TokenCache. See Token cache serialization in MSAL.NET. This is how to preserve sign-in info b/w desktop application sessions, and avoid those sign-in windows.
  • AcquireTokenSilentAsync is the process by which refresh_token is used to get new access_token, but, this is internally done. See AcquireTokenSilentAsync using a cached token for more details and other access patterns.

Hope this clarifies on why TokenCache is the 'new' refresh_token in MSAL.NET, and TokenCache is what you would need to serialize and save. There are libraries like Microsoft.Identity.Client.Extensions.Msal that aid in this.

Answer 2

MSAL .NET does not expose the refresh token, but rather keeps it internal and handles all token refresh and caching logic on the app's behalf.

The docs you're referring to are referencing the protocol itself that MSAL is completing on your behalf. It goes to the /token endpoint with an authorization code (after the end user signs in), and is issued an Access and Refresh token. The Access Token is valid for 1 hour, and when it's expired, AcquireTokenSilent will automatically use the refresh token against the /token endpoint to get a new access token.

Answer 3

TokenCache is basically a JSON object which is served as byte array when you call SerializeMsalV3(). When you convert byte array to string, you will see both access token and refresh token. Then you can make a HTTP request to \token endpoint with this refresh token and grant_type: "refresh_token" body parameters.

IConfidentialClientApplication capp =
                    ConfidentialClientApplicationBuilder.Create(myClientId)
                        .WithClientSecret(myclientSecret)
                        .Build();

    capp.UserTokenCache.SetAfterAccess((TokenCacheNotificationArgs args) =>
    {
       exchangeTokenCacheV3Bytes = args.TokenCache.SerializeMsalV3();
       string jsonString = System.Text.Encoding.UTF8.GetString(exchangeTokenCacheV3Bytes);
    });