I Use Azure AppRegistation configured to use oauth2 code flow to authenticate my application. This is .net 6 WebApi. In Azure AppRegistration I have custom scope for my API: api://{clientId}/ApplicationName.
In startup.cs I have configured cookie authentication with oauth 2 using AddOauth extension. I setup clientId, clientSecret, token endpoint and this custom scope. I also added offline_scope.
I have no problems with authenticating user, there is redirection to MS authorization endpoint, it goes back and in backchannel code is exchanged for a valid token.
I also have an refresh_token.
Later in logic of my application I'm using this access token in OBO flow, to call external service.
When i inspect this token in JWT.io, this access token has an audience the same as exposed api in Portal Azure, audience is api://{clientId}.
I'd like to acquire new access token using refresh token. I couldn't find any working library, so I'm making simple request to token endpoint providing all required parameters, grant_type, client_id, client_secret and refresh token.
The problem is that I cannot acquire working access token. When I do not add resource parameter I got error: "AADSTS90009: Application '{clientId}'is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
When I set resource in format api://{clientId} I got the same error. When I set resource the same as clientId i can receive a new AccessToken, but this token is invalid.
It has audience simply {clientId}, and this is invalid since valid audience is api://{clientId}.
How can I get new access_token using existing refresh_token, but valid one?
I found out that I was using invalid token endpoint. (without version). When using version /oauth2/v2.0/token everything is working.