New-PartnerAccessToken does not returns refresh token #156
Comments
|
@slavizh thank you for opening this new issue. When you generate a new access token using any refresh token, that refresh token should be injected into the cache. After that is accomplished everything should function as excepted. There is a possibility that what you stated in the other thread is correct, but that definitely is not the expected behavior. So, we will need to dig into this further to see how best to reproduce the issue. |
|
If I try to generate new refresh token I get error on the web page after entering credentials: AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: I am using the following command assuming it is the right way to issue the refresh token for the first time. |
|
BTW when problems happen in the broswer you can never cancel the command on the PowerShell window. You should have some time out or ability to cancel the command otherwise I have to close the whole window. |
|
I have not managed to test it yet since the new release but I bank my money @slavizh is correct. Plus the issue of not being able to cancel is so annoying it is beyond belief... especially that the new module is so broken that you end up testing all of it 530403403400 times a day - needed to restart everything each time... |
|
Also I did mention in my last issue that Refresh Tokens are not being returned... I do not know C# well enough but when I read the code it does not appear to have the right property assigned to it. string key = GetTokenCacheKey(authResult);
AuthResult result = new AuthResult(
authResult.AccessToken,
authResult.IsExtendedLifeTimeToken,
authResult.UniqueId,
authResult.ExpiresOn,
authResult.ExtendedExpiresOn,
authResult.TenantId,
authResult.Account,
authResult.IdToken,
authResult.Scopes);
if (tokens.ContainsKey(key))
{
result.RefreshToken = tokens[key].Secret;
}
WriteObject(result);
}Surely |
|
I do not know if this will help with reply url but here is mine. This is what was suggested when we first started this authentication model. As far as I can see the redirect url in the module is using localhost. Could that also cause the issue where the refresh token is not returned?
|
|
If I put reply url https://localhost as well I can do interactive authentication. Seems you have changed the reply URL. Can you set it back to urn:ietf:wg:oauth:2.0:oob so we do not have to change our apps? I still cannot get refresh token even when I have made this change, |
|
It has got nothing to do with what is setup in your App but everything to do with the code inside the command. When I run the "fixed" code and check in fiddler: New-PartnerAccessToken -ApplicationId $SPNClientId -Credential $Credentials -RefreshToken $SPNRefreshToken -Scopes 'https://api.partnercenter.microsoft.com/user_impersonation' -ServicePrincipal -Tenant $TenantIdWe get: RefreshToken :
AccessToken : eyJ0eXAiOiJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sSD-mWE2TO-ksI8fA
IsExtendedLifeTimeToken : False
UniqueId : xxxxx-xxxx-xxx-xxxx-xxxxx
ExpiresOn : 9/16/2019 8:20:18 AM +00:00
ExtendedExpiresOn : 9/16/2019 8:20:18 AM +00:00
TenantId : xxxxx-xxxx-xxx-xxxx-xxxxx
Account : Account username: xxxxxxxxxxxxxx@xxxxxxxxxxx.onmicrosoft.com environment login.windows.net home account id: AccountId:
xxxxx-xxxx-xxx-xxxx-xxxxx.xxxxx-xxxx-xxx-xxxx-xxxxx
IdToken : eyJ0eXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Scopes : {https://api.partnercenter.microsoft.com/user_impersonation}
User : But API is returning the Refresh Token correctly (see Fiddler) but the command is written in a way so it does not. |
|
@cblackuk Thanks for running this trough Fiddler. Do you get also reply URL issue if you try to issue completely new refresh token. I would assume yes if you have setup the app as me. |
|
The code above should issue a new token and it does but it does not get returned... until they fix it... no point testing anything else really :-) |
|
I was wondering if you get the same AAD error when you use -UseAuthorizationCode parameter but anyway. I hope they will resolve that problem as well. |
|
Will test it tomorrow mate :) |
ghost
mentioned this issue
|
You were 150% right mate: |
|
Thanks for testing it. |
|
2.0.1909.3 does not fixes refresh token not returned. :( |
|
Why am I not surprised... I guess the reply URL is also broken still right? |
|
Haven't tested that but it is useless to test it if refresh token does not work. |
|
Just tested both. No refresh token and reply URL is broken still. |
|
Same here, issue still persists. |
|
@IsaiahWilliams Several days have passed and the only update was merged that didn't fixed the issue. Is the issue is investigated? Do we need to provide more information? When we can expect a fix? |
ghost
mentioned this issue
|
Refresh tokens are valid for 90 days, so while this issue is being debugged you should not encounter any issue with using the current value. Also, I just released version 2.0.1909.4 that adds the ability to get debug statements from MSAL. Can you update and run the command with and without the debug flag please? |
|
@IsaiahWilliams We have automation that renews tokens every day. We cannot migrate if we are not able to run it. ran the new version. refresh token is still not available. Debug is below: |
|
@slavizh thank you for sharing this information. Just to confirm the refresh token value was still missing when you ran the command with this version correct? |
|
@IsaiahWilliams yes |
|
@slavizh that is interesting because the debug logs state the refresh token returned was cached. Can you confirm that |
|
@slavizh thank you for sharing that. There should be a file named |
|
Good luck and fingers crossed :) @IsaiahWilliams |
ghost
mentioned this issue
|
@slavizh the root cause for this issue has been identified and corrected. Can you update to version 2.0.1909.5 and let me know if the value is returning as expected now? |
|
@IsaiahWilliams I have verified that version 2.0.1909.5 produces token. Thank you for fixing this! |
|
Awesome that is great news. It was a rather interesting issue, but the good news it is resolved now. Thank you for bearing with me while I worked to get everything sorted. |
|
Trying to generate a new token but receiving the following error
I'm running 2.0.1909.5. This occurs right after the consent in the browser on a fresh setup. Reply URI set correctly on app to "urn:ietf:wg:oauth:2.0:oob" Anyone else running into this issue? |
|
Add https://localhost - job done |
|
That was definitely it. Thank you, sir! |
|
hello I know this is closed but I've updated the module to the "2.0.1909.5 " version but I as well don't have a refreshcode. |
|
@bilalAchahbar the root cause for this issue was related to how the module was being published. Since you have updated to a version where this has been corrected and your are still having issues please open a new issue. If you do open a new issue please include details about what exactly is missing. |
|
I am unable to obtain refresh token with PowerShell 7.0.3 in ubuntu 18.04. It does provide refresh token if i try in windows powershell 5.1.19041.1 |
|
We have the same issue. |
|
I don't think this issue should be closed, I'm getting the same issue using 3.0.10 of the partnerCenter version 7.2.1 Powershell (mcr.microsoft.com/powershell:lts-centos-7) mcr.microsoft.com/powershell@sha256:30d3936bc0d74b20e0ec90077155db6db050443f5e2fd666ccba04ae2e5235d8 |
Steps to reproduce
Refresh Token was issued with commands in v 1.5 of the module. It follows the standard way of creating SP, creation impersonation with the SP of a user that has global administrator and admin agent rights. Nothing out of the ordinary.
$p.RefreshToken is empty. Only access token is filled.
Expected behavior
Actual behavior
No refresh token is returned, only access one.
Diagnostic logs
Environment
Both 5.1 and 6.2.3
The text was updated successfully, but these errors were encountered: