javascript oauth-2.0 microsoft-graph-api access-token

Refreshing client_credentials microsoft token

I have function to get token from microsoft.

import { ConfidentialClientApplication } from '@azure/msal-node'
import { ConfigurationService } from './configuration/configuration.class.js'

export class TokenService {
  constructor(app) {
    this.app = app
    this.msalApplication = null
    this.accessToken = null
  }

  async initialize(configData) {
    try {
      // Find the values you need in the response data
      const clientId = configData.find((item) => item.setting === 'clientId')?.value
      const tenantId = configData.find((item) => item.setting === 'tenantId')?.value
      const clientSecret = configData.find((item) => item.setting === 'clientSecret')?.value

      // Check if all required values are present
      if (!clientId || !tenantId || !clientSecret) {
        throw new Error('Missing configuration values')
      }

      // Configure the MSAL application with the fetched values
      this.msalApplication = new ConfidentialClientApplication({
        auth: {
          clientId,
          authority: `https://login.microsoftonline.com/${tenantId}`,
          clientSecret,
          grant_type: 'client_credentials'
        }
      })
    } catch (error) {
      console.error('Error initializing TokenService:', error)
      throw error
    }
  }

  async getToken() {
    if (!this.msalApplication) {
      // Fetch the configuration values from the database using your ConfigurationService
      const configService = new ConfigurationService({
        Model: this.app.get('mssqlClient'),
        name: 'application_config' // Make sure this matches your FeathersJS database configuration
      })
      const configData = await configService.find()

      await this.initialize(configData)
    }

    // Pokud nemáme žádný platný token nebo je blízko k expiraci, získejte nový token
    if (!this.accessToken) {
      try {
        const tokenResponse = await this.msalApplication.acquireTokenByClientCredential({
          scopes: ['https://graph.microsoft.com/.default']
        })

        this.accessToken = tokenResponse.accessToken

        return this.accessToken
      } catch (error) {
        console.error('Error acquiring token:', error)
        this.accessToken = null

        throw error
      }
    }

    return this.accessToken
  }
}

It works as expected, but I need to refresh that token 5 minutes before it's going to expire ... I tried everything but nothing works. When I refresh it in interval, I always get the old token. Have u guys any tips how to solve this problem please?

Solution

scopes: ['https://graph.microsoft.com/.default'] is used for client credential, and the token generated by client credential flow is not able to be refreshed, and when we want to refresh an access token, we need a refresh token and an access token, only auth code flow can provide you with a refresh token when you generate the access token. Take a look at the document for auth code flow and client credential flow.

like you see, when you add offline_access in the scope to generate the access token, the refresh token could be returned. But the scope for credential flow could only be xxx/.default, we can't add offline_access into the scope for client credential flow.

Note: Only provided if offline_access scope was requested.