Just visited the link "http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/" for reference and found out that the refresh_token received from microsoft OAuth2.0 will only work for 90 days of exhaustive usage and after that we need to let the users authenticate the microsoft app once again
How are we supposed to develop microsoft apps with offline_access scope if the refresh_token is only gonna work for the next 90 days of time?
The user might not visit the webapp again and he might need the microsoft app to do its job in the background and serve the purpose...
Should we notify the users through some method(email, sms, ivr phone call) to re-authenticate the microsoft app? That sounds tedious for the developer and uncomfortable for the user...
Is there any overriding mechanism to solve this dilemma? please share any ideas or workarounds so my soul may REST in peace...
There is currently not a mechanism to retrieve the refresh token within Mobile Services. This is something about to be enabled for App Service Mobile Apps, but as of right now it is not available through the basic LoginAsync(“aad”) flow. This article talks about How to Best handle AAD access tokens in native mobile apps and would do help.
If you need a better refresh support, and if you are using the .NET backend, then you can certainly use ADAL. It has an overload for LoginAsync which additionally accepts the access token (as part of a JSON object, under the key “access_token”). This allows the client to handle the refresh action.
We can find the quote on Best Practices for OAuth 2.0 in Azure AD
Refresh tokens do not have specified lifetimes. Typically, the lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked, or lack sufficient privileges for the desired action. The client application needs to expect and handle errors returned by the token issuance endpoint correctly. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.
Which means, when the refresh_token expire, you will get an error if you use this token to apply for a new access_token.
So you can write the error handler in your code script, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, you need to discard the refresh token and request a new authorization code.