I am trying to use microsoft365 and oauth to get an access and refresh token. According to Microsoft 365 docs, we need to use the "offline_access" scope to get a refresh token along with access token. However, The response I am getting does not contain a refresh token.
Here is the code I used:
url = "https://login.microsoftonline.com/{}/oauth2/v2.0/token".format(tenant_id)
headers = {
"Content-Type": "application/x-www-form-urlencoded",
}
data = {
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials",
"scope": "https://graph.microsoft.com/.default offline_access",
}
response = requests.post(url, headers=headers, data=data)
The response contains the access token like usual, but does not contain the refresh token despite using the offline_access scope. Could someone kindly tell me what the issue is?
I tried to reproduce the same in my environment and got the results like below:
To get the refresh token, you need to choose user interactive flows such as Auth-Code Flow.
I created an Azure AD Application and added API permissions like below:
I generated auth-code using below endpoint:
I generated the access token and refresh token using below parameters:
By using the above generated refresh token, I refreshed the access token successfully like below: