0

According to this site, "AcquireTokenSilent is capable ... of refreshing a token when it's getting close to expiration (as the token cache also contains a refresh token)" which is great, but what are the restrictions on when MSAL is allowed to refresh a token?

This stackoverflow question implies that sometimes the server sends a special refresh token, but when I call App.PCA.AcquireToken...() it returns an object of type AuthenticationResult which doesn't have any members named anything like Refresh (in our Xamarin/C# app) so it doesn't seem like there is actually a separate token only used to figure out refreshing?

Does AcquireTokenSilent() require Internet access? Does it always check in with the server?

Betty Crokker
  • 3,001
  • 6
  • 34
  • 68

1 Answers1

4

AcquireTokenSilent will search an access token in the token cache for the current account. If it's not found it will throw an MsalUiRequiredException:

  • If such an access token is found and it's not close to expiration, it will return this access token (part of the AuthenticationResult). This does not require an Internet access
  • If such an access token is found but it's expired or close to expiration, AcquireTokenSilent will use the refresh token associated with the account in the token cache (and not surfaced through the API), and get a new access token and refresh token, store them in the cache, and return the access token. This scenario does require an Internet connection

There are subtle cases where, while refreshing the token, the Microsoft identity platform will decide that MFA is needed, or some kind of interaction, and in that case AcquireTokenSilent may also throw a MsalUiRequiredException. See https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-handling-exceptions#msaluirequiredexception for details

Jean-Marc Prieur
  • 1,553
  • 11
  • 11
  • 1
    The reason you don't see the refresh token in the Acquire result is that it is not exposed. It is cached and used by MSAL directly as explained above by Jean-Marc. If you look at the calls through Fiddler you will see it there. Note that some OAuth2 flows do not return refresh tokens (not really needed), e.g. Client Credentials or Resource Owner. – Marc Oct 04 '19 at 17:20
  • Here's what's strange though: I just tried my app, haven't run it since yesterday afternoon, and AcquireTokenSilent() returned an access token. So apparently this hidden refresh token still works 16 hours after the initial access? Can the refresh token continue to work for days/months/years? Who controls the lifetime of the refresh token? BTW, in the AuthenticationResult object that I get back from the non-silent AcquireToken function, the "ExpiresOn" is one hour in the future. – Betty Crokker Oct 04 '19 at 17:46
  • BTW, I suspect the answer to "who controls the lifetime of the refresh token" is somewhere in the Azure control panel; if that's true, it would be very helpful to know which setting where, as all of this token stuff is new for the organization and I'd like to be able to tell the IT group where to look when I ask them for help. – Betty Crokker Oct 04 '19 at 17:52
  • 1
    Yes. The lifetime of tokens is controller by the Tenant admin: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes – Jean-Marc Prieur Oct 23 '19 at 06:56
  • @Marc refresh token can have (and usually has) a longer lifetime than access token. A new access token can be requested sometime after its expiration, by using a refresh token with a longer lifetime. – Mando Dec 24 '20 at 00:05