Refresh token is always undefined

[vital101]

I'm trying to get a refresh token using this Passport strategy, but for some reason I can't make it work. I've tried de-authorizing the app several times (I know a refresh token is only granted on the first auth), but it doesn't seem to make a difference.

I'm on version 3.0.6.

The Code

// In app.js
const creds = {
    redirectUrl: 'http://localhost:3000/token',
    clientID: '<myClientId>',
    clientSecret: '<mySecret>',
    identityMetadata: 'https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration',
    allowHttpForRedirectUrl: true, // For development only
    accessType: 'offline',
    responseType: 'code',
    validateIssuer: false, // For development only
    responseMode: 'query',
    scope: [
        'Contacts.Read',
        ...
    ]
};

const callback = (iss, sub, profile, accessToken, refreshToken, done) => {
  console.log('Refresh Token: ', refreshToken); // this is undefined
  done(null, {
    profile,
    accessToken,
    refreshToken
  });
};

passport.use(new OIDCStrategy(creds, callback));

// -- Inside of routes

// When I authenticate
const passportSettings = {
  accessType: 'offline',
  approvalPrompt: 'consent'
};

// Authentication request.
router.get('/login', (req, res, next) => {
  passport.authenticate('azuread-openidconnect', passportSettings, (err, user, info) => {
        // Do stuff.
  });
});

I suspect that this might be a usage issue by me, but I'm out of places to ask for help. Perhaps I have a configuration parameter wrong on https://apps.dev.microsoft.com?

[lovemaths]

'offline_access' scope is required to obtain a refresh token. Please add it in the scope in creds and try again. Also please upgrade to version 3.0.7.

[webuniverseio]

@lovemaths is it possible to get refresh_token for v1 or not really? Is offline_access available only in v2?
Thank you.

[webuniverseio]

Also is it possible to switch app registration from using v1 endpoints to v2 endpoints? Or specify for new app registration that it should use v2 endpoints. Thank you.

[lovemaths]

@szarouski Please see below:

(1) To specify the resource, for v1 we use resourceURL option in passport.authenticate (follow the example here), for v2 we use scope option in strategy configuration.

(2) v1 is supposed to give you both access token and refresh token when you ask for an access token. For v2 you need to explicitly use offline_access scope to get refresh token.

I don't quite understand your app registration question, could you give more details what you want to achieve?

[webuniverseio]

@lovemaths thanks for your reply. For v1 I don't get a new refresh token when I renew access token (similar problem to following: https://stackoverflow.com/questions/35308425/not-able-to-get-new-refresh-token-from-azure-ad-with-grant-type-refresh-token-ca/) - I wonder if that might be due to AD configuration? (I'm just a dev, don't have access to it). However I get new refresh token with v2 endpoint with offline_access when I'm renewing access token (which is weird, why I can for v2, but can't for v1).

Another thing that I found is that it is possible to keep getting access token via authorization call with client_credentials & it doesn't seem to expire, I wonder it that is a valid approach?

For app registration I'm wondering if it is possible to use azure portal to create registration with v2 endpoint support. At the moment it seems that I had to use Application registration portal for that.

[lovemaths]

@szarouski It seems I can always get refresh token when I renew access token with v1. I am not sure what went wrong, I am asking around to see if anyone might know the answer. v1 and v2 are two separated endpoints and the usage are very different, so it is normal that the behavior are different.

You can always call passport.authenticate when you need an access token. This is a valid approach.

For v2 app registration you have to go to apps.dev.microsoft.com, it cannot be done on azure portal.

[webuniverseio]

@lovemaths thanks for looking at that. Here is how things are setup, maybe it will shed some light.
There is web api which is using & is protected by app registration with User.Read delegated permissions. There is also UI client app (my node.js app) which is using User.Read delegated permissions + delegated permissions from web api app registration (if I'm correct - user_impersonation, access to api). I'm specifying this app registration as a resource & get token which is valid for both authentication & authorization calls. All calls are going through Azure AD. I wonder if there is a limitation of some sort there, or this is an issue with how our internal AD (which is exposed via Azure) is set up.

[MarkHerhold]

I encountered a similar problem where I couldn't get a refresh token with V2. I solved this with the following config:

responseType: 'code id_token'
clientSecret: '<provide a secret, set in Azure>'
scope: ['profile', 'offline_access']

[sgjackman71]

@MarkHerhold - thanks for this! I've spent the last 4 hours trying different combinations and this worked for me to get a refresh token. Didn't need the clientSecret however.