I am developing a web app that is supposed to access contact and other information for users with their Outlook or Office 365 accounts and I am having some issues with offline_access to Office365 accounts.
Upon initial authentication the code works fine and I am able to access all I need for both Outlook and Office 365 accounts.
The inconsistency shows up after the initial access token had expired. For Outlook accounts I can always refresh the access token, while for Office 365 accounts the exact same code fails with "400 Bad Request" error.
It feels like there should be something different done for the Office 365 accounts when refreshing access toke but I cannot figure out what.... I am not even sure how to tell if the users have used Otlook vs. Office 365 account I can figure this out later.
The authority URL I use is https://login.microsoftonline.com/common/oauth2/v2.0/token and I thought that perhaps it should be different for Outlook and Office 365 but everything else appears to be working for both account types except for the refresh_token request.
Appreciate your help! Thanks!
This is weird but the solution to the problem is in making sure the redirect_url parameter used in the refresh token request matches exactly the registered redirect url including the host name.
Amazingly this is true only for Office 365 accounts and only for refresh token requests. It looks like all other APIs for both Outlook and Office 365 accounts do not care about the supplied redirect URL and use whatever was registered for the app instead.