Forum Discussion
Send refresh token to backend
Hi,
I have developed a basic SPA teams app, using teamsFx.login() to get an access token.
I would like to call sendActivityNotification() from time to time, from my backend, using a delegated permission.
It seems like to do this, I would need to send a refresh token to my backend, so that it can fetch a new access token whenever one is needed to send an activity notification.
Could you tell me how to get a refresh token in the SPA? It seems like teamsFX and MSAL.js PublicClientApplication only provide the access token, not the refresh token.
Thanks!
I fixed this by implementing the On-Behalf-Of flow where the front end gets a specific kind of SSO/authorization token, and sends it to the backend, which exchanges it for a more permanent token.
It took a while to figure out how to request the SSO token in the front end, it turns out there are two ways to get it:
microsoftTeams.authentication.getAuthToken()
or
teamsFx.getCredential().getToken([]); // an empty scopes array
On the backend I use the "acquire on behalf of" method and pass in the auth/SSO token, and exchange it for a permanent access token. I use a TokenCache to store the refresh and access tokens for each user in the database.
- Sayali-MSFTMicrosoft
keithfable-Thanks for reporting your issue.
We will check this at our end and will get back to you.
Meanwhile got the related thread please have look into this-teams toolkit - How to refresh id-token using @microsoft/teamsfx - Stack Overflow
Hope it's helpful. - Sayali-MSFTMicrosoft
keithfable -Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps.
In MSAL, you can get access tokens for the APIs your app needs to call using the
acquireToken*
methods provided by the library. TheacquireToken*
methods abstract away the 2 steps involved in acquiring tokens with the OAuth 2.0 authorization code flow:- make a request to Azure AD to obtain an
authorization code
- exchange that code for an access token containing the user consented scopes.
Reference doc-1.Acquire a token to call a web API (single-page apps) - Microsoft Entra | Microsoft
Learn
2.microsoft-authentication-library-for-js/acquire-token.md at dev ยท AzureAD/microsoft-authentication-library-for-js (github.com) - make a request to Azure AD to obtain an
- keithfableBrass Contributor
I fixed this by implementing the On-Behalf-Of flow where the front end gets a specific kind of SSO/authorization token, and sends it to the backend, which exchanges it for a more permanent token.
It took a while to figure out how to request the SSO token in the front end, it turns out there are two ways to get it:
microsoftTeams.authentication.getAuthToken()
or
teamsFx.getCredential().getToken([]); // an empty scopes array
On the backend I use the "acquire on behalf of" method and pass in the auth/SSO token, and exchange it for a permanent access token. I use a TokenCache to store the refresh and access tokens for each user in the database.