We currently use the AddMicrosoftIdentityWebApp approach to enable authentication using Azure AD B2C. Specifically, we use the following code:
services.AddAuthentication()
.AddCookie(FRONTEND_COOKIE_SCHEME) // special cookie due to having a separate back-end auth protocol
.AddMicrosoftIdentityWebApp(options =>
{
// config info removed to be concise
options.SignInScheme = FRONTEND_COOKIE_SCHEME;
options.SignOutScheme = FRONTEND_COOKIE_SCHEME;
options.UseTokenLifetime = true;
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = ClaimTypes.NameIdentifier
};
})
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
We’re looking to implement the Refresh Token process (refdoc: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow). I can confirm that the .well-known endpoint indicates this is enabled:
"response_types_supported": [
"code",
"code id_token",
"code token",
"code id_token token",
"id_token",
"id_token token",
"token",
"token id_token"
],
I can also confirm that Step 1 of that process is being invoked – when hitting the auth endpoint, I get redirected to oauth2/v2.0/authorize?client_id={clientId}&redirect_uri={redirectUri}&response_type=code&scope=openid%20profile%20offline_access&code_challenge={codeChallenge}&code_challenge_method=S256&response_mode=form_post&nonce={nonce}&state={state}&ui_locales=en. However, when looking at the response I receive back, at the OnTokenValidated step, I notice that I don’t see a code. I figured this is probably because the code is being consumed at the OnAuthorizationCodeReceived step instead, and was going to start implementing the process of getting the Refresh Token there.
However, as I started looking into this more, I noticed that there doesn’t seem to be a whole lot of reference docs about doing this. I figured this would be something fairly common, and was surprised to not find any results – so, before I really go down this route, I wanted to ask whether this is actually the correct approach to be taking.
My question, specifically, is whether we, as consumers of the MicrosoftIdentityWebApp process, need to actually explicitly call out the Refresh Token process, or whether this is something that happens natively, in which case perhaps there is simply a config setting we need to enable?