Why google tokens are not refresh with Easy Auth?

Question

I am using the Easy Auth feature of Azure App Service and I am trying to refresh a token with the Google provider.

I followed the Chris Gillum article and correctly called .auth/login/google with the access_type=offline parameter. Then I called .auth/refreshwhich return me a 200 OK with a new authenticationToken. However, when I check the claims of this ZUMO token by calling .auth/me, I can see that the Google token is in fact not refreshed despite the previous successful response. The exp claims (corresponding to Expiration Time) is the same as the previous token.

I tried several scenario : refresh the token immediately after receiving it, 10 minutes before the expiration time and after the expiration time (when the token is no longer valid) but in every scenario, Easy Auth return me a new ZUMO token but the Google token associated is always the same.

Is it normal for the .auth/refresh endpoint to always return the same token (same exp claims) with the Google provider ?

Answer 1

As Exchange authorization code for refresh and access tokens states about the refresh_token:

A token that you can use to obtain a new access token. Refresh tokens are valid until the user revokes access. Note that refresh tokens are always returned for installed applications.

And the response from Refreshing an access token only contains the access_token,expires_in (The remaining lifetime of the access token in seconds),token_type.

Is it normal for the .auth/refresh endpoint to always return the same token (same exp claims) with the Google provider ?

Using the Log stream under the MONITORING section of your app service, you could find the detailed log when calling .auth/refresh as follows:

Moreover, the exp claim when calling .auth/me represents the expire time for the authenticationToken instead of the refresh_token.

And you could leverage jwt.io to decode your authenticationToken and compare it with the exp user claim.