Currently, I'm having the user log in to Microsoft Live by sending a request in a web view to the following URL:
https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT ID]&scope=[SCOPES]&response_type=token&redirect_uri=[REDIRECT URI]&display=popup
This works perfectly, and I receive and save the access_token and authentication_token. Note that it doesn't return a refresh_token, even if I include the wl.offline_access scope.
The problem occurs when the access token expires and needs to be refreshed. I'm attempting to refresh the token using a method from Microsoft's documentation:
https://login.live.com/oauth20_token.srf?client_id=[CLIENT ID]&redirect_uri=[REDIRECT URI]&client_secret=[CLIENT SECRET]&refresh_token=[WHAT TO PUT HERE?]&grant_type=refresh_token
However, a refresh_token was never returned in the login, so I'm not sure what to pass in. Note that sending the authentication_token (what is it supposed to be used for?) as the refresh_token parameter results in the following:
{
"error": "invalid_grant",
"error_description": "The provided value for the input parameter 'refresh_token' is not valid."
}
Does anyone know how to properly refresh a Microsoft Live token through their REST API?
After further reading through Microsoft's documentation and experimenting, I was able to figure out how to do this.
The problem with my initial attempt was that I was requesting the
wl.offline_accessscope while using the implicit grant flow, as their documentation says not to:So, I changed my URL to the following (using the authorization code grant flow since I need offline access):
Then, once I received the
codein the callback, I called the following endpoint to retrieve the access and refresh tokens:NOTE: Microsoft's documentation is INCORRECT for this endpoint in the above links. This is a
GETrequest, NOT aPOSTrequest as their documentation claims.This method finally returned the
access_tokenandrefresh_tokenparameters, and I was able to use both as expected.