No Refresh Token returned from Get-MSALToken using DeviceCode flow

[darrenjrobinson]

Get-MsalToken -ClientId $global:myDevCred.UserName -DeviceCode -Interactive -TenantId $global:myDevTenantId -RedirectUri "https://localhost" returns and Access Token but no Refresh Token.

I suspect this is associated with functionality leveraged from Microsoft.Identity.Client.dll as I can't see anything specifically in MSAL.PS that would not provide the Refresh Token.

Writing a simple PowerShell function using the Device Code flow (without leveraging Microsoft.Identity.Client.dll) using the same Registered Application DOES return a Refresh Token.

Is there anyway to force MSAL.PS to return a Refresh Token for the Device Code flow? Device Code flow is required as the permissions required for the app aren't available as App Permissions, just Delegated Permissions.

[jazuntee]

The MSAL.NET library handles the usage of the refresh token. Can you try the following?

For the initial authentication

Get-MsalToken -ClientId $global:myDevCred.UserName -DeviceCode -TenantId $global:myDevTenantId -RedirectUri "https://localhost"

For all subsequent you can remove the DeviceCode parameter to use the refresh token

Get-MsalToken -ClientId $global:myDevCred.UserName -Silent -TenantId $global:myDevTenantId -RedirectUri "https://localhost"

I might look at bypassing the device code logic if there is already a token in the cache.

[darrenjrobinson]

Thx for the reply Jason. I've just tested and validated the end to end flows (on a fresh machine profile) and can confirm that the MSAL.NET DLL does get a new Access Token (I'm assuming from a stored Refresh Token in the client cache). This is fantastic.

Thx again for the great module.

[jazuntee]

Glad that worked! Yes, the RT is stored in the token cache.