'Azure : How to i get the Refresh Token ? using Curl when the Output of the connection only gives Access Token

I am unable to get Refresh Token using Azure Service Principal (using Client ID & Client Secret)

Kindly help me in getting the refresh token via CURL and how to use it.

When i run the below CURL command in Windows CMD Prompt, i am getting Access Token. Whereas i am not getting refresh token along with it.

am i missing something here ?

Input :

curl -X POST https://login.microsoftonline.com/12345/oauth2/token ^
-F grant_type=client_credentials ^
-F resource=https://management.core.windows.net/ ^
-F client_id=12345-abcde ^
-F client_secret=12345abcde

Output:

{
    "token_type": "Bearer",
    "expires_in": "3600",
    "ext_expires_in": "3600",
    "expires_on": "1554368330",
    "not_before": "1554364430",
    "resource": "https://management.core.windows.net/",
    "access_token": "XXXXXXXXXXXXX"
}

As the output doesn't have refresh token (how do i get it)

Kindly requesting for any possible insights



Solution 1:[1]

You don't get refresh tokens with client id and secret. It doesn't make sense. Refresh tokens only make sense when a user is involved. Since there it allows you to get new tokens without prompting the user to login again.

You don't need a refresh token. You can get new tokens with client id and secret when you want.

Solution 2:[2]

Change the grant_type to 'password', add username and password to the request.

curl -X POST https://login.microsoftonline.com/12345/oauth2/token ^
-F grant_type=password ^
-F resource=https://management.core.windows.net/ ^
-F client_id=12345-abcde ^
-F client_secret=12345abcde ^
-F [email protected] ^
-F password=******

You will be able to get the refresh_token.

{
"token_type": "Bearer",
"scope": "User.ReadWrite.All",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1554711949",
"not_before": "1554708049",
"resource": "https://management.core.windows.net/",
"access_token": "******",
"refresh_token": "******"
}

You can use the refresh_token to refresh the access token.

Solution 3:[3]

Given an existing refresh token, this request gets a new access token and a new refresh token, which one can use to iteratively fetch new ones before the expiration period, e.g. with a timer based process.

curl 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
     -H "Origin: https://localhost" \
     -H 'content-type: application/x-www-form-urlencoded;charset=utf-8' \
     --data-raw "client_id=${CLIENT_ID}&refresh_token=${REFRESH_TOKEN}&grant_type=refresh_token&scope=openid%20profile%20User.Read%20offline_access"

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 juunas
Solution 2 Tony Ju
Solution 3 Devis L.