failing to receive onedrive oauth refresh_token when authenticating through SSO

Question

I have an app that supports saml based sso and oauth based access to cloud storage providers such as google drive, dropbox, and microsoft onedrive. I have an account setup that uses OneLogin as an identity provider, and my app and onedrive acting as service providers. the app requires users to authenticate with their cloud storage provider, so I redirect the user from the app to onedrive during this auth step. since they are using onelogin sso, they are redirected from onedrive to onelogin, they login to onelogin, and are redirected back to onedrive. Here they resume the oauth flow and agree to grant the app certain permissions and send back a code. I use this code to ping onedrive's /token route to exchange it for an access_token and a refresh_token. however we are not receiving the refresh_token, thus requiring the user to frequently have to reauthenticate with onedrive.

does anyone have any insight as to why we are not receiving a refresh_token? I have reached out to onelogin and microsoft as well (no progress/response yet). I have toyed around with settings in MS azure and onelogin but haven't solved the issue yet.

other details:

• in microsoft azure, users are federated using ws-federation
• so far, this issue only occurs with users who are using onedrive and an sso provider
• i am using the v1 onedrive api
• the auth response includes the access_token and other properties, just not the refresh_token
• here is a link detailing the oauth flow for onedrive, indicating that i can expect a refresh_token from the https://login.microsoftonline.com/common/oauth2/token route: https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/aad-oauth (in fact this refresh_token is necessary to finish the flow)
• here is another SO post that seems to be having a similar issue, but with godaddy: Refresh token not returned for Office365 accounts purchased through GoDaddy (i have tried messing with the StsRefreshTokensValidFrom attribute but to no avail)

to be clear, the flow is:

1. from app, attempt to oauth auth with onedrive
2. get redirected to onelogin
3. login to onelogin
4. get redirected to onedrive
5. grant permission for 3rd party app access
6. get redirected back to app with access code
7. exchange code for oauth tokens
8. fail to receive refresh_token

thanks!

Answer 1

To get a refresh_token, you need to set up the Refresh Token (timeout) field in the Token Timeout Settings of the SSO tab in the Application configured in your OneLogin Administration portal.