0

I have registered a multitenant app at https://apps.dev.microsoft.com since the "admin consent" prompt wasn't available in the Azure AD apps. Admin consent is required for our app to retrieve info about users and their calendars.

I can provide admin consent from a completely different tenant than what this app is registered from and use the provided access token to retrieve all necessary information, however that obviously expires after an hour and we need offline access.

I have tried using the tenantId instead of 'common' in the https://login.windows.net/common/oauth2/token endpoint, however receive the same message as below.

The following is the data being submitted to the token endpoint in json format (converted within node to form encoded format before submitting):

{ grant_type: 'refresh_token', client_id: 'e5c0d59d-b2c8-4916-99ac-3c06d942b3e3', client_secret: '(redacted)', refresh_token: '(redacted)', scope: 'openid offline_access calendars.read user.read.all' }

When I try to refresh the access token I receive an error:

{ "error":"invalid_grant", "error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'e5c0d59d-b2c8-4916-99ac-3c06d942b3e3'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 2bffaa08-8c56-4872-8f9c-985417402e00\r\nCorrelation ID: c7653601-bf96-46c3-b1ff-4857fb25b7dc\r\nTimestamp: 2017-03-22 02:17:13Z", "error_codes":[65001], "timestamp":"2017-03-22 02:17:13Z", "trace_id":"2bffaa08-8c56-4872-8f9c-985417402e00", "correlation_id":"c7653601-bf96-46c3-b1ff-4857fb25b7dc" }

This error occurs even when standard consent is used. I have also tried using the node-adal library instead of raw http requests which produces the exact same result.

I note that "offline_access" isn't a permission I am able to set within the MS apps portal, however I would guess the fact that I am getting a refresh token back means that I can refresh the access token?

For the record, the following is the node-adal code I used to see if I was doing something wrong:

var self = this;

var authenticationContext = new AuthenticationContext('https://login.windows.net/common');
authenticationContext.acquireTokenWithRefreshToken(
    self.refreshToken,
    self.clientId,
    self.clientSecret,
    'https://graph.microsoft.com/',
    function(a) {
        console.log(a);
    }
);

Any help in getting this refresh process working is appreciated!

Improve this question

1 Answer 1

Reset to default
1

Please ensure that the tenant that you using for refreshing token is same as the tenant that you requesting for the access_token.

The refresh token request works well for me unless in the scenario of below:

  1. register the app from protal using Microsoft account
  2. user1 is in tenant1
  3. add user1 as the external users to tenant2
  4. request the access_token/refresh_token from tenant1(OK)
  5. try to refresh the token using tenant1 in the request(OK)
  6. try to refresh the token using tenant2 in the request(same error message)
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hi Fei, thanks for the reply. I have tried this with two completely separate tenants with the same result as the first post. We do not make use of "external users" as mentioned in your post. My process: 1. register the app from MS portal as as user1 in tenant1 2. run though the OAuth2 consent process for user2 in tenant2 3. receive access token and refresh token for tenant2. Access token works fine for tenant2 during the 60 minutes before expiry. 4. Attempt to refresh access token for tenant2 with the given refresh token and receive the error message described in the original post.
To elaborate on "tried this with two completely separate tenants with the same result" above, these two tenants were different to the tenant that has registered the app.
I am still not able to reproduce this issue. Based on the orignal post, it seems that the token endpoint is not correct. Since you register the app using the portal apps.dev.microsoft.com, we need to use the Azure AD V2.0 endpoint. Please refer the v2.0 Protocols - OAuth 2.0 Authorization Code Flow about the detail request. Please let me know if it helps.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.