如何配置Azure AD以启用刷新令牌


我有一个链接到Azure AD的Azure App Service / Web API,并且身份验证正常,但是客户端令牌在1小时后过期,因此我想启用OAuth refresh_token。当我检查服务上调用/.auth/me的结果时,没有看到refresh_token。在应用程序服务上启用了令牌存储。

I have an Azure App Service / Web API linked to Azure AD and authentication is working, however client tokens are expiring after 1 hour, so I want to enable the OAuth refresh_token. When I inspect the results of calling /.auth/me on my service I don't see a refresh_token. Token store is enabled on the app service.

我尝试将其添加到Azure AD的 oauth2permissions 中清单如下,但没有出现(我已重新启动App服务并在缓存令牌的情况下重新部署了我的服务):

I have tried to add it to the oauth2permissions in the Azure AD manifest as follows, but it doesn't appear (I have restarted the App service and redeployed my service in case of caching of tokens) :

"oauth2Permissions": [ 
        "adminConsentDescription": "Allow the application to store a refresh token on behalf of the signed-in user.",
        "adminConsentDisplayName": "Refresh tokens",
        "id": "3AGH4D29-B64A-4A9A-8DBC-5DB3C8BBBD75",
        "isEnabled": true,
        "type": "User",
        "userConsentDescription": "Allow the application to store a refresh token on your behalf.",
        "userConsentDisplayName": "Store refresh token",
        "value": "refresh_token"


I have based my attempts on the guidance given here : https://cgillum.tech/2016/03/07/app-service-token-store/

我使用此处的指南解决了此问题: https://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/

I resolved this using the guidance here : https://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/


Basically you have to update the auth settings of your app service. And there isn't a UI for it, so I used the azure resource explorer.

关键是将AdditionalLoginParams值设置为 [ response_type = code id_token,资源= https://graph.windows.net]

The key was setting the additionalLoginParams value to ["response_type=code id_token", "resource=https://graph.windows.net"].