My web app (SPA with backend) uses refresh tokens to access Microsoft calendars of users when they are offline. Today it turned out the refresh token I use in unit tests expired exactly one year after retrieving it. I searched the docs and learnt that I should ask for new refresh token when I use the current one to obtain access token and that's fine.
However, I also figured out the refresh token is revoked every time user changes password to their Microsoft account. And this is the real problem for me because:
1) I need to access user's calendar when they are offline so when attempt to use refresh token returns "invalid_grant" error I can't ask user to grant access to their calendar again - because the user is offline.
2) If the user changes their password once a month, they would have to grant access to their calendar in my app once a month too. Not really convenient for the user.
And honestly, this policy doesn't make much sense to me. User granted my app access to their calendar and changing password has nothing to do with it. User can remove their calendar from my app, or remove my app from the list of authorized apps in their Microsoft account settings.