2

I am doing a project with React, msal-react, and msal-browser.

I can get an access token with functions provided with msal-react library, but I cannot get the refresh token manually.

I can see from the network that a token request is performed when user is logged in by redirect, and obviously returned both token and refresh token. However, the refresh token is very well protected and cannot be found under cookie, session storage, or the instance.

Is it possible for the frontend to get refresh token of azure ad?

sorry, I cannot post my code due to security requirements

Conan DING
  • 21
  • 1
  • 2
  • 1
    Why do you need to get the refresh token? Usually you call acquireTokenSilent every time you want to make a request, it'll return a token if available (using a refresh token if needed) or throw an error if not available. If that error occurs, you'll need to do interactive authentication. Typically you don't need to worry about the refresh tokens. – juunas Jun 18 '21 at 08:00
  • https://stackoverflow.com/a/44415012/14574199 msal.js ,using `acquireTokenSilent` can't return a refresh token. – Tiny Wang Jun 18 '21 at 08:46
  • [acquireTokenSilent/acquireTokenPopup](https://azuread.github.io/microsoft-authentication-library-for-js/ref/classes/_azure_msal_browser.publicclientapplication.html#acquiretokensilent) will return [AuthenticationResult](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#authenticationresult), and it can't return refresh token. – Tiny Wang Jun 18 '21 at 08:48
  • Thank you for the response. 1. The reason I want to extract the refresh token is that the backend service wants me to use it to trade application access token 2. yes acquireTokenSilent does not return a refresh token. The refresh token is returned the azure redirected back to my webapp and stored refresh token internally – Conan DING Jun 18 '21 at 10:50

1 Answers1

2

Refresh tokens are intentionally not returned on the public API surface as MSAL will handle all required token refreshes under the hood when you call acquireTokenSilent. If the backend service needs its own access token it needs to use a server side library such as msal-node. We do not recommend or support obtaining tokens using the SPA library and passing them down to a backend as tokens should only be sent to the resource they are intended for.

Thomas Norling
  • 444
  • 2
  • 5