Using a Refresh Token to Renew an Expired Access Token for Azure Active Directory

Currently my application attempts to acquire the access token silently which equates to looking to see if there is a current (ie not expired) token in the token cache. However, tokens don’t live for very long, so it’s quite likely that a token won’t be found. This unfortunately leads to a poor user experience as the user will quite often be prompted to sign in. There is an alternative, which is to use the refresh token, returned as part of initially acquiring the access token, to silently request a new access token. This of course is on the assumption that the refresh token hasn’t expired.

Here is a quick summary, as at the time of writing, of the different tokens and their expiry rules (a good explanation here):

Azure AD access tokens expire in 1 hour (see the expires_on attribute that is returned when acquiring an access token).
Refresh tokens expires in 14 days (see the refresh_token_expires_in attribute that is returned when acquiring an access token).
Access tokens can be refreshed using the refresh-token for a maximum period of time of 90 days, from the date that the access token was acquired by prompting the user.

The authentication logic can be amended to retrieve the list of refresh tokens, attempt to acquire token silently, followed by an attempt to acquire token via the refresh token. Failing that the user would be prompted to sign in.

var authContext = new AuthenticationContext(Configuration.Current.ADAuthority);

var tokens = authContext.Tokens();
var existing = (from t in tokens
                where t.ClientId == Configuration.Current.ADNativeClientApplicationClientId &&
                        t.Resource == Configuration.Current.MobileServiceAppIdUri
                select t).FirstOrDefault();
if (existing != null)
{
    try
    {
        var res = await authContext.AcquireTokenSilentAsync(
            Configuration.Current.MobileServiceAppIdUri,
            Configuration.Current.ADNativeClientApplicationClientId);
        if (res != null && !string.IsNullOrWhiteSpace(res.AccessToken))
        {
            return res.AccessToken;
        }
    }
    catch (Exception saex)
    {
        Debug.WriteLine(saex);
    }

    try
    {
        var res = await
            authContext.AcquireTokenByRefreshTokenAsync(existing.RefreshToken,
                Configuration.Current.ADNativeClientApplicationClientId);
        if (res != null && !string.IsNullOrWhiteSpace(res.AccessToken))
        {
            return res.AccessToken;
        }
    }
    catch (Exception saex)
    {
        Debug.WriteLine(saex);
    }

}

3 thoughts on “Using a Refresh Token to Renew an Expired Access Token for Azure Active Directory”

Dheeraj

August 6, 2019 at 3:25 am

Nice work.

Can we get the code and documentation of setting up in Azure.

Thank You,
Dheeraj
- Nick
  
  August 8, 2019 at 10:18 pm
  
  Hi Dheeraj,
  This is now an old post so I don’t have the documentation handy. However, if you look at the other posts around this time I think I recall posting the details of how to setup Azure – Try https://nicksnettravels.builttoroam.com/tag/realestatesample/ and look for the posts about Azure
Robin

March 25, 2020 at 10:44 pm

Hi Nick,

can you tell me how to get the “refresh_token_expires_in” from azure ad?
I got access_token and refresh_token and spent a lot of time to get lifetime of the refresh_token.
In azure B2C it’s default response value, but in normal azure ad, I do not get that property back.

3 thoughts on “Using a Refresh Token to Renew an Expired Access Token for Azure Active Directory”

Leave a comment Cancel reply