Add support for refreshing the access token of an account

[maskati]

Related command
az account

Is your feature request related to a problem? Please describe.
Some scenarios require refreshing the cached access token of an account, for example when user's group membership changes as a consequence of PIM for Groups.

Describe the solution you'd like
Provide a mechanism to refresh the cached access token of an account e.g. az account refresh-access-token.

Describe alternatives you've considered
Waiting for token expiration or performing az logout and az login.

[yonzhan]

Thank you for opening this issue, we will look into it.

[jiasli]

Supporting --force-refresh in az account get-access-token is tracked by #17578.

Does az account clear and az login work for you? It may be related to #26573.

[maskati]

az account clear or az logout do work, but are not ideal since the user is already authenticated and only requires a refreshed access token. It's unfortunate that MSAL does not allow forcing refresh of the token in the cache, mearly skipping the cache altogether for a single token acquisition (--force-refresh). Clearing the cache is not useful since it also clears the refresh token.

Would it be possible to expand --force-refresh to be a global parameter? It would would probably need to be more clearly named since "force refresh" is clear in the context of get-access-token but not in general.

[maskati]

Actually it seems like force_refresh does update the token cache, so this issue would be resolved by performing az account get-access-token --force-refresh > /dev/null to force cached token update and then performing the desired operation. Looking forward to #17578 being implemented.