4

I'm working on creating an Outlook Add-in using this architecture.

I'm trying to handle the scenario where Azure Active Directory Access Token expires. According to the official documentation, the token's life time is 1 hour.

So I was thinking about changing the token's life time as described in this question. But I cannot do so, as I don't have the right to edit Azure policies. Also, I believe there is a cleaner way to test this scenario.

How can I test/debug this scenario?

Mhd
  • 2,778
  • 5
  • 22
  • 59
  • What part of the process are you trying to test? Calling an API with an expired token? Having your program detect it is expired and exchanging it for a refresh token? Are you using a library for this? – Shawn Tabrizi Feb 13 '18 at 01:13
  • @ShawnTabrizi I don't want to create a timer in my app just to take care of token expiration. So I'm trying to test both calling Graph API with an expired token and detect that it is expired and exchanging it for a refresh token. In this case, I can get the proper expiration token error (error code and message) so I can handle it properly in my program by acquiring a new access token. If I have any other error, I will display the proper error message to end user. I'm using plain JavaScript with Ajax calls against AAD and Graph API – Mhd Feb 13 '18 at 01:38
  • 1
    There is no need to create a timer. When you get an access token, part of the payload is an [`expires_in` variable](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code#request-an-access-token) which tells you when the token will expire. You simply need to store that as a session variable, and check it before you make calls. – Shawn Tabrizi Feb 13 '18 at 01:48
  • @ShawnTabrizi Does that mean there is no way to test the expired token scenario? Is not possible that access token could be expired (for any reason) on Azure AD side? so my session variable is no longer valid. – Mhd Feb 13 '18 at 02:12
  • 1
    I did not say there is no way to test an expired token scenario, but it depends on where and what you are testing. You cannot for example, generate a token in the past using our Token Service. You can adjust the token lifetime, but you mentioned you do not have access to that. You can wire your code to treat the time in the token claim as "expired" no matter what, and then have your code execute. You cannot fake an expired token to a downstream API, because it will not be signed by the STS. – Shawn Tabrizi Feb 13 '18 at 22:59

1 Answers1

0

Whenever your access token expires you can use your refresh token to exchange for new access/refresh token pair. Refresh token has a maximum inactivity time of 90 days. You can get refresh token in your result while requesting access token by specifying offline_access in the scope parameter while making the request.

curl --location --request POST 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={clientid}' \
--data-urlencode 'refresh_token={refreshtoken}' \
--data-urlencode 'redirect_uri={redirect_uri}' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_secret={client_secret}'
Dharman
  • 30,962
  • 25
  • 85
  • 135
desu sai venkat
  • 275
  • 3
  • 10