Refreshing an OAuth access token for Microsoft Live API

6.4k views Asked by At

Currently, I'm having the user log in to Microsoft Live by sending a request in a web view to the following URL:

https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT ID]&scope=[SCOPES]&response_type=token&redirect_uri=[REDIRECT URI]&display=popup

This works perfectly, and I receive and save the access_token and authentication_token. Note that it doesn't return a refresh_token, even if I include the wl.offline_access scope.

The problem occurs when the access token expires and needs to be refreshed. I'm attempting to refresh the token using a method from Microsoft's documentation:

https://login.live.com/oauth20_token.srf?client_id=[CLIENT ID]&redirect_uri=[REDIRECT URI]&client_secret=[CLIENT SECRET]&refresh_token=[WHAT TO PUT HERE?]&grant_type=refresh_token

However, a refresh_token was never returned in the login, so I'm not sure what to pass in. Note that sending the authentication_token (what is it supposed to be used for?) as the refresh_token parameter results in the following:

{
  "error": "invalid_grant",
  "error_description": "The provided value for the input parameter 'refresh_token' is not valid."
}

Does anyone know how to properly refresh a Microsoft Live token through their REST API?

1

There are 1 answers

3
rebello95 On BEST ANSWER

After further reading through Microsoft's documentation and experimenting, I was able to figure out how to do this.

The problem with my initial attempt was that I was requesting the wl.offline_access scope while using the implicit grant flow, as their documentation says not to:

Note Do not include the wl.offline_access scope if you're using the implicit grant flow (response_type=token).

So, I changed my URL to the following (using the authorization code grant flow since I need offline access):

https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT ID]&scope=[SCOPES]&response_type=code&redirect_uri=[REDIRECT URI]&display=popup

Then, once I received the code in the callback, I called the following endpoint to retrieve the access and refresh tokens:

https://login.live.com/oauth20_token.srf?client_id=[CLIENT ID]&redirect_uri=[REDIRECT URI]&client_secret=[CLIENT SECRET]&code=[CODE FROM AUTHORIZATION]&grant_type=authorization_code

NOTE: Microsoft's documentation is INCORRECT for this endpoint in the above links. This is a GET request, NOT a POST request as their documentation claims.

This method finally returned the access_token and refresh_token parameters, and I was able to use both as expected.