I'm using sasl-xoauth2 on two systems authenticating at two independent Microsoft Office365 organizations. With both setups I am experiencing the same issue:
After 90 days of running, the access token cannot be refreshed anymore. Only after manually issuing new tokens, it works again. The error message in both logs look similar:
mxrelay | 2022-04-05T06:21:12.732102+00:00 WARNING sasl-xoauth2: 2022-04-05 06:21:12: TokenStore::Read: file=/var/spool/postfix/xoauth2-tokens/webservice@example.com
mxrelay | 2022-04-05T06:21:12.732151+00:00 WARNING sasl-xoauth2: 2022-04-05 06:21:12: TokenStore::GetAccessToken: token expired. refreshing.
mxrelay | 2022-04-05T06:21:12.732199+00:00 WARNING sasl-xoauth2: 2022-04-05 06:21:12: TokenStore::Refresh: token_endpoint: https://login.microsoftonline.com/<hidden>/oauth2/v2.0/token
mxrelay | 2022-04-05T06:21:12.732223+00:00 WARNING sasl-xoauth2: 2022-04-05 06:21:12: TokenStore::Refresh: request: client_id=<hidden>&client_secret=&grant_type=refresh_token&refresh_token=<hidden>
mxrelay | 2022-04-05T06:21:12.732247+00:00 WARNING sasl-xoauth2: 2022-04-05 06:21:12: TokenStore::Refresh: code=400, response={"error":"invalid_grant","error_description":"AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2022-01-03T09:39:41.5631952Z and was inactive for 90.00:00:00.\r\nTrace ID: <hidden>\r\nCorrelation ID: <hidden>\r\nTimestamp: 2022-04-05 06:21:12Z","error_codes":[700082],"timestamp":"2022-04-05 06:21:12Z","trace_id":"<hidden>","correlation_id":"<hidden>","error_uri":"https://login.microsoftonline.com/error?code=700082"}
According to the Microsoft documentation: Refresh tokens are valid for 90 days, and with continuous use, they can be valid until revoked. [1]
It looks like the refresh token is never used, however, it was used to refresh the access token over the last 90 days.
I checked the Microsoft documentation [2] and it says: The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. As such, whenever a refresh token is used to acquire a new access token, a new refresh token is also issued. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one.
So, I guess the following happens:
sasl-xoauth2 does not store and replace the initial refresh token with the newly issued refresh token. The initial refresh token is not explicitly deleted, so stays active for 90 days. Then it gets revoked and sasl-xoauth2 cannot refresh its access token anymore. So manual interaction is needed again...
Unfortunately the documentation of sasl-xoauth2 doesn't tell about the refreshing process. Could the mentioned procedure be the case? Or am I missing a configuration option?
Hi,
I'm using sasl-xoauth2 on two systems authenticating at two independent Microsoft Office365 organizations. With both setups I am experiencing the same issue:
After 90 days of running, the access token cannot be refreshed anymore. Only after manually issuing new tokens, it works again. The error message in both logs look similar:
According to the Microsoft documentation:
Refresh tokens are valid for 90 days, and with continuous use, they can be valid until revoked.[1]It looks like the refresh token is never used, however, it was used to refresh the access token over the last 90 days. I checked the Microsoft documentation [2] and it says:
The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. As such, whenever a refresh token is used to acquire a new access token, a new refresh token is also issued. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one.So, I guess the following happens:
sasl-xoauth2 does not store and replace the initial refresh token with the newly issued refresh token. The initial refresh token is not explicitly deleted, so stays active for 90 days. Then it gets revoked and sasl-xoauth2 cannot refresh its access token anymore. So manual interaction is needed again...
Unfortunately the documentation of sasl-xoauth2 doesn't tell about the refreshing process. Could the mentioned procedure be the case? Or am I missing a configuration option?
Thanks a lot, Matthias
[1] https://docs.microsoft.com/en-us/microsoft-365/enterprise/session-timeouts?view=o365-worldwide [2] https://docs.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#refresh-token-lifetime