Getting invalid grant when refreshing microsoft access oktne
I have create a web app that the user can connect his account with his outlook account, which will allow him to control his calendar using my web application.
I get the user consent and get access token and refresh token, it all works fine. When I refresh the token lets say after 30 minutes I get the new access token.
But after a while, a day I think I start getting this error invalid_grant when I refresh the token, And I have to login again to outlook to get a valid access token.
Does anyone have any idea why does this happen? This only happens the next day
by the way I have offline_access in my scope and API permission
Here is the request I am sending
curl --location --request POST 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
--header 'Origin: http://localhost:4200' \
--header 'Authorization: Bearer ${Access_Token}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: fpc=AhDVWlE6NztJuqGq2Z_Q19xuuUk8AQAAAL3-ytsOAAAA; stsservicecookie=estsfd; x-ms-gateway-slice=estsfd' \
--data-urlencode 'client_id=f4c91f15-2a7c-4b57-836d-5b11dbd37981' \
--data-urlencode 'scope=user.read calendars.readwrite offline_access openid profile' \
--data-urlencode 'refresh_token=${Refresh_Token}' \
--data-urlencode 'grant_type=refresh_token'
And here is the error
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and added same API permissions as below:
I generated tokens using authorization code with PKCE flow via Postman with below parameters:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
grant_type:authorization_code
client_id:<appID>
scope: user.read calendars.readwrite offline_access openid profile
code:code
redirect_uri: http://localhost:4200
code_verifier: S256
Response:
I am able to fetch access token using this refresh token successfully until 24 hrs like below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:<appID>
scope:user.read calendars.readwrite offline_access openid profile
refresh_token:<paste_refresh_token_from_above>
grant_type:refresh_token
Response:
When I tried to refresh the token after 24 hrs, I got same error like below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id:<appID>
scope:user.read calendars.readwrite offline_access openid profile
refresh_token:<paste_refresh_token_from_above>
grant_type:refresh_token
Response:
The error usually occurs if you register your redirect URI as SPA as below:
As mentioned in this MS Documentation,
The default lifetime for the refresh tokens is 24 hours for single page apps. Refresh tokens sent to a redirect URI registered as
spaexpire after 24 hours.So, you need to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours.
Alternatively, you can register new Azure AD application by setting platform of redirect URI to Web and generate tokens with normal authorization code flow where refresh token stays for 90 days.
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs