6

Currently, I'm having the user log in to Microsoft Live by sending a request in a web view to the following URL:

https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT ID]&scope=[SCOPES]&response_type=token&redirect_uri=[REDIRECT URI]&display=popup

This works perfectly, and I receive and save the access_token and authentication_token. Note that it doesn't return a refresh_token, even if I include the wl.offline_access scope.

The problem occurs when the access token expires and needs to be refreshed. I'm attempting to refresh the token using a method from Microsoft's documentation:

https://login.live.com/oauth20_token.srf?client_id=[CLIENT ID]&redirect_uri=[REDIRECT URI]&client_secret=[CLIENT SECRET]&refresh_token=[WHAT TO PUT HERE?]&grant_type=refresh_token

However, a refresh_token was never returned in the login, so I'm not sure what to pass in. Note that sending the authentication_token (what is it supposed to be used for?) as the refresh_token parameter results in the following:

{
  "error": "invalid_grant",
  "error_description": "The provided value for the input parameter 'refresh_token' is not valid."
}

Does anyone know how to properly refresh a Microsoft Live token through their REST API?

shA.t
  • 16,580
  • 5
  • 54
  • 111
rebello95
  • 8,486
  • 5
  • 44
  • 65

1 Answers1

10

After further reading through Microsoft's documentation and experimenting, I was able to figure out how to do this.

The problem with my initial attempt was that I was requesting the wl.offline_access scope while using the implicit grant flow, as their documentation says not to:

Note Do not include the wl.offline_access scope if you're using the implicit grant flow (response_type=token).

So, I changed my URL to the following (using the authorization code grant flow since I need offline access):

https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT ID]&scope=[SCOPES]&response_type=code&redirect_uri=[REDIRECT URI]&display=popup

Then, once I received the code in the callback, I called the following endpoint to retrieve the access and refresh tokens:

https://login.live.com/oauth20_token.srf?client_id=[CLIENT ID]&redirect_uri=[REDIRECT URI]&client_secret=[CLIENT SECRET]&code=[CODE FROM AUTHORIZATION]&grant_type=authorization_code

NOTE: Microsoft's documentation is INCORRECT for this endpoint in the above links. This is a GET request, NOT a POST request as their documentation claims.

This method finally returned the access_token and refresh_token parameters, and I was able to use both as expected.

rebello95
  • 8,486
  • 5
  • 44
  • 65
  • So what is the url you used to call data from one drive. I used https://api.onedrive.com/v1.0/drive with Authorization: bearer {token}. But it returns "Authentication failed" – Ravindu Mar 15 '17 at 04:50
  • 1
    This doesn't work for me. If I do get request I get this error: "error_description": "The provided request must have content-type 'application/x-www-form-urlencoded'." – user2924482 May 26 '17 at 18:57
  • Sounds like you should probably set `application/x-www-form-urlencoded` as your `Content-Type` header then @user2924482 :) – rebello95 May 26 '17 at 22:47