search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.67k stars 2.65k forks source link

{azure/msal-node doesnt return refresh token #7325

Closed servefast-cto closed 1 month ago

servefast-cto commented 1 month ago

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

2.13.0

Wrapper Library

Not Applicable

Wrapper Library Version

0.0.0

Public or Confidential Client?

Confidential

Description

How can i access refresh token from acquireTokenByCode method i have a background job that is spin up when needed so i can not rely on cached versions. I have implemented several OAuth dropbox, google, box all of those apis are simple and return what is needed.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

MSAL Configuration

const config: Configuration = {
    auth: {
      clientId: outlookClientSecretKey.value(),
      authority: "https://login.microsoftonline.com/common",
      clientSecret: outlookClientIdSecretKey.value(),
    },
  };

Relevant Code Snippets

const authResult = await msalClient.acquireTokenByCode({
    code: code,
    scopes: ["openid", "offline_access", "User.Read", "Mail.Read"],
    redirectUri: "redirect-url",
  });

Reproduction Steps

call acquireTokenByCode mmethod

Expected Behavior

Returns refresh token

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Other

Regression

No response

Source

External (Customer)

tnorling commented 1 month ago

Please see the FAQ

Dzivo commented 1 month ago

From documentation

How do I get the Refresh Token?
MSAL Node does not expose refresh tokens for security reasons. Instead, we manage the refresh token through the cache and update it as required to fetch the corresponding Id Token and Access Token for the developer. Use the appropriate acquireToken* API to obtain access tokens, and MSAL will ensure they are renewed if necessary. If you have a refresh token acquired by other means, you can use the [acquireTokenByRefreshToken](https://azuread.github.io/microsoft-authentication-library-for-js/ref/classes/_azure_msal_node.confidentialclientapplication.html#acquiretokenbyrefreshtoken) API (see also: [Refresh Token sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/msal-node-samples/refresh-token/README.md)). More details on AAD tokens can be found [here](https://learn.microsoft.com/azure/active-directory/develop/security-tokens)

Still we have implemented several other oauth implementations by google, dropbox, box ... and all of them work the same way they return access and refresh token well even your /token response if done manually returns it so hiding from MSAL users doesnt really do anything in terms of security if we need to use it we will just use /token endpoint