20

I am adding Microsoft OneDrive support to a product that my employer sells to other companies. When I went through my designing and prototyping stage, I was using an application ID that waw obtained through an application registration that I did using my personal account. Now, I'm working on actually adding the code into our product and am using an application ID that was obtained through an application registration that was done (by someone else) through our corporate Office365 account.

I am experiencing a difference in the results of the authentication queries between these two application registrations. I'm trying to track down the cause and I'm hoping someone here can help.

When I used the registration from my personal account, I was receiving all the data items from the /token url that were documented in the Microsoft online documentation. When I switched over to use the registration from our corporate account, changing nothing in the code except the application ID, I do not get the refresh_token value. I was using the same login credentials for both tests.

Here's the information when using my personal registration:

Url: https://login.microsoftonline.com/common/oauth2/v2.0/token

Request Body: grant_type=authorization_code&client_id={XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}&code=XXXXXXXXXXXXXX...XXXXXXXXXXXXXXXX

Request Response: 

{
  "token_type":"Bearer",
  "scope":"https://graph.microsoft.com/files.readwrite.all",
  "expires_in":3599,
  "ext_expires_in":0,
  "access_token":"XXXXXXXXXXXXXX...XXXXXXXXXXXXXXXX",
  "refresh_token":"XXXXXXXXXXXXXX...XXXXXXXXXXXXXXXX"
}

Here's the information when using our corporate registration:

Url: https://login.microsoftonline.com/common/oauth2/v2.0/token

Request Body: grant_type=authorization_code&client_id={YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY}&code=YYYYYYYYYYYYYY...YYYYYYYYYYYYYYY

Request Response:

{
  "token_type":"Bearer",
  "scope":"https://graph.microsoft.com/files.readwrite.all",
  "expires_in":3599,
  "ext_expires_in":0,
  "access_token":"YYYYYYYYYYYYYY...YYYYYYYYYYYYYYY"
}

Other than the values for client_id and code, the only thing that is different is the application registration (one using a personal account and the other using a corporate Office365 account). What could be the cause of this? Is there something missing from the registration through our corporate account?

I don't have permissions to view the corporate registration, so I can't compare what they put it versus what I had in my personal registration. I gave them all the pertinent information, but I don't know if they did everything I asked.

ke4ktz
  • 1,152
  • 7
  • 18

2 Answers2

66

The Microsoft documentation is quite unclear. Their online services have gone through many iterations and this results in quite a bit of residual data lying around. When I revoked access to both applications from within Office365 and re-authenticated both of them from scratch, both calls were absent the refresh_token value in the response from the /token call.

I managed to put together the pieces from the Microsoft and OpenID documentation to find the answer. In the initial authorization request, the call to https://login.microsoftonline.com/common/oauth2/v2.0/authorize, adding offline_access to the scope query string parameter resolved the issue.

Nothing needs to be added or changed on the app registration side. When this new scope is added, the user will also be shown that the application is requesting access to the data offline. This sequence of steps turns on the return of the refresh_token value. Why it was there in the first place, without specifying offline_access still remains a mystery.

ke4ktz
  • 1,152
  • 7
  • 18
  • 1
    I added offline_access and the return result included the refresh_token, thanks a million, made my day! – Heider Sati Jan 19 '19 at 17:03
  • I'm trying to do the same with Calendars.ReadWrite, but it doesn't work. Is there a different way to do that? – Guy Biber Jan 21 '19 at 10:07
  • Thanks for the info, the documentation is in a terrible state right now – ChrisOnBass Aug 06 '19 at 17:44
  • Life Saviour. I could have wasted a couple of hours because official documentation DOES NOT include anything about it. Many many thank you – VijayRana May 24 '21 at 06:21
  • I wasted couple of hours on this. After going through the microsoft docs, I thought the only way to get refresh_token is if we use the {tenant} url. But this works – Justin George May 30 '21 at 14:02
  • Thanks man ... I struggled with the documentation for 6 hours now – You are my saviour – Jason Rietzke Aug 05 '21 at 21:05
11

2019 Update

First of all, thanks to ke4ktz (the accepted answer), worked perfectly.

However, I did not know initially how to add offline_access to the scope :) so in case someone has the same issue, you just add it after your scope string with space so let's say your scope was "Sites.FullControl.All" so now it will be "offline_access Sites.FullControl.All".

The reference from Microsoft can be found here

I hope it helps

Abhay Maurya
  • 11,819
  • 8
  • 46
  • 64