Azure refresh tokens are long-lived opaque tokens returned alongside access tokens^1. They can remain valid for an indefinite period, and can be used to generate a new valid access token on behalf of the subject.
This detector can be tested by obtaining a live refresh token. I like using ROADtools:
# Obtain a token for Microsoft Office
# https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in
$ roadrecon auth --device-code -c d3590ed6-52b3-4102-aeff-aad2292ab01c -r msgraph
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABCDEFG123 to authenticate.
Tokens were written to .roadtools_auth
This detector only works with refresh tokens created for public clients. If a client is confidential, the required tenant, id, and secret should trigger the service principal detector.
Checklist:
[ ] Dependent PR merged? #2976
[x] Tests passing (make test-community)?
[x] Lint passing (make lint this requires golangci-lint)?
Description:
Azure refresh tokens are long-lived opaque tokens returned alongside access tokens^1. They can remain valid for an indefinite period, and can be used to generate a new valid access token on behalf of the subject.
This detector can be tested by obtaining a live refresh token. I like using ROADtools:
This detector only works with refresh tokens created for public clients. If a client is confidential, the required tenant, id, and secret should trigger the service principal detector.
Checklist:
make test-community)?make lintthis requires golangci-lint)?