Azure ADAL Refresh id_token
We are developing a multi-user web application. Our tenants will use Windows Azure Active Directory for authentication. We are using OWIN OpenIdConnect middleware to authenticate users. The response we receive after the authentication process has an id_token and an authorization code.
We also want to get a refresh token so that we can get new tokens after the id_token expires. Therefore, in the AuthorizationCodeReceived handler, we use the AcquireTokenByAuthorizationCode method in the ADAL library to get the refresh token. The response contains id_token, access_token and refresh_token.
We then then use the referh_token to get the new id_token, however the response only contains the updated access_token, not the updated id_token. Is it possible to update the id_token, or can we update the access_token? The code condensed for the authorization code handler is shown below.
AuthorizationCodeReceived = (context) =>
{
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + "/";
var code = context.Code;
string clientSecret = ConfigurationManager.AppSettings["ida:Password"];
ClientCredential credential = new ClientCredential(clientId, clientSecret);
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
MAuthenticationContext authContext = new MAuthenticationContext(string.Format("https://login.windows.net/{0}", tenantID), null);
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(appBaseUrl), credential, "https://graph.windows.net");
AuthenticationResult refreshTokenResult = authContext.AcquireTokenByRefreshToken(result.RefreshToken, credential);
return Task.FromResult(0);
},
source to share
In general, you cannot use refresh_token to update id_token, as id_token represents user authentication, information that cannot be updated without the user being present. The way to update the id_token is described in the OpenID Connect Session Management project ( http://openid.net/specs/openid-connect-session-1_0.html ), i.e. by sending the user (agent) to the authorization endpoint again with an authentication request, which can include "prompt = no" if you don't want user interaction but just check with the OP for an existing SSO session.
The session management features described in the draft are supported by Azure AD. If you want to keep the OP session in sync with your application session this is the way to go. OTOH you can choose an application session that is independent of the OP's session using its own session timeout and duration, in which case there is no reason to update the id_token. Then id_token is only used to load the application session, which then lives on it.
source to share
See also: AcquireTokenByRefreshToken is really a manual fallback in case there is something in ADAL's automatic cache management that you don't want to do. In general, every call to AcquireToken * (except for AcquireTokenByRefreshToken) will automatically use a refresh token if needed and valid in the cache. Unless you really are in special cases, I would advise never to use AcquireTokenByRefreshToken
source to share