Misaz Misaz - 11 months ago 87
C# Question

Azure AD token service does't response refresh_token and id_token

I am trying to work with Outlook REST API. I have to authenticate by Azure AD and I have one little problem with that. When I exchange

authorization code
access token
response of https://login.microsoftonline.com/common/oauth2/v2.0/token does not contains refresh_token and id_token which I need. My code sending request is

HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create("https://login.microsoftonline.com/common/oauth2/v2.0/token");
req.Method = "POST";
req.ServicePoint.Expect100Continue = false;
req.UserAgent = "Example/1.0";
req.ContentType = "application/x-www-form-urlencoded";
using (StreamWriter sw = new StreamWriter(req.GetRequestStream()))
string data = "";
data += "grant_type=authorization_code";
data += "&code=" + Request.QueryString("code");
data += "&scope=" + HttpUtility.UrlEncode(string.Join(" ", scopes));
data += "&redirect_uri=" + HttpUtility.UrlEncode(redirectUri);
data += "&client_id=" + appId;
data += "&client_secret=" + appPassword;
HttpWebResponse res = req.GetResponse();
using (StreamReader sr = new StreamReader(res.GetResponseStream()))
Response.ContentType = "application/json";

Example of response from this code

"token_type": "Bearer",
"scope": "https://outlook.office.com/Calendars.Read https://outlook.office.com/Calendars.ReadWrite https://outlook.office.com/Mail.Read",
"expires_in": 3600,
"ext_expires_in": 0,
"access_token": "EwAYA+l3B/Qk ... IpfA0C"

I don't know what I am doing different than https://oauthplay.azurewebsites.net because there response contains all properties.

Answer Source

For the refresh token you have to ask for Offline_Access scope while requesting the authorization code and for the id_token, I guess you need Profile scope. The id_token is basically for app specific use, just to verify that the token is getting used by specific app only and no other app is using the token on behalf of the other app. So try yo request the offline_access scope that might give you the refresh token.