问题
In this documentation it gives a complete flow for a web application that calls a web API:
- The web application executes a policy and the user completes the user experience.
- Azure AD B2C returns an (OpenID Connect) id_token and an authorization code to the browser.
- The browser posts the id_token and authorization code to the redirect URI.
- The web server validates the id_token and sets a session cookie.
- The web server asks Azure AD B2C for an access_token by providing it with the authorization code, application client ID, and client credentials.
- The access_token and refresh_token are returned to the web server.
- The web API is called with the access_token in an authorization header.
- The web API validates the token.
- Secure data is returned to the web application.
Looking at 6. and using the code in the Azure-Samples repository active-directory-b2c-dotnet-webapp-and-webapi , I cannot get the line
AuthenticationResult result = await confidentialClient.AcquireTokenByAuthorizationCode(Globals.Scopes, notification.Code).ExecuteAsync();
to return a refresh_token. It returns an IdToken and AccessToken but no RefreshToken.
By using my browser and Postman and following the steps in this document with the same B2C tenant and application I do get the refresh token as expected.
This question is similar to mine and the blog post mentioned in one of the answers provides a work around to the symptom of not having a refresh token but my question remains:
How can I get AcquireTokenByAuthorizationCode to return a refresh_token?
回答1:
To get refresh token, your application should append offline_access as scope.
You mentioned like this msdn able to return you refresh token. It is because request already contain offline_access scope
&scope=openid%20offline_access
To get refresh token from active-directory-b2c-dotnet-webapp-and-webapi. You need to update Global.cs Scopes filed to include offline_access
public static string[] Scopes = new string[] { ReadTasksScope, WriteTasksScope, "offline_access" };
回答2:
The offline_access scope is optional for web apps. It indicates that your app needs a refresh token for long-lived access to resources.
Go to web.config add below:
<add key ="api:OfflineAccessScope" value="offline_access "/>
And in Global.cs :
public static string OfflineAccessScope = ApiIdentifier + ConfigurationManager.AppSettings["api:OfflineAccessScope"];
public static string[] Scopes = new string[] { ReadTasksScope, WriteTasksScope, OfflineAccessScope};
Then the Globals.Scopes in AcquireTokenByAuthorizationCode will return refresh token.
来源:https://stackoverflow.com/questions/58407041/why-doesnt-acquiretokenbyauthorizationcode-return-refreshtoken