Azure AD refresh token is getting invalid frequently

Yasitha Pandithawatta 121 Reputation points
2022-02-15T09:17:12.93+00:00

We have an application that our customers can authenticate and grant some graph api permissions. After the initial grant we store the refresh token and use it to generate access token when we need to access their data. We are keep renewing the refresh tokens every 14 days before it expires.

But somehow we have seen lot of invalid grants when we try to generate the access token from the refresh token. We are getting below error.

AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2022-01-19T08:26:23.0488237Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2022-01-24T10:37:49.0000000Z'

We have checked with the customers and they confirmed they haven't revoked the permissions or reset the global admin password who authenticated our app. They don't have any password reset/expire configured in their tenant yet we see this error more frequent. It's kind of hassle as we need to ask keep reauthenticating our app whenever this error happen.

What could be the root cause of this issue and what would be the best way to prevent this?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,560 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,711 Reputation points Microsoft Employee
    2022-02-15T12:18:54.857+00:00

    Hi YasithaPandithawatta-2282,

    Thanks for reaching out.

    From your query I understand that you are facing issue to get the access token due to invalid refresh token.

    There might be possible scenarios in this case.

    1. This error is due to when refresh token can be expired due to either if the password changed for the user or the token has been revoked either by user or admin through PowerShell or Azure portal. As you have already confirmed the above possibilities, there might be chance that Conditional Access policy has been configured to control user
      Refresh token and force user to sign-in again.
    2. Another possibility is that you are not replacing the old refresh token with a fresh one, which is also provided whenever you make a call to get a new
      access token using a refresh token.

    As mentioned in Refreshing the access token , Refresh tokens aren't revoked when used to acquire new access tokens. You're expected to discard the old refresh token. When you receive a response with a refresh token error, discard the current refresh token and request a new authorization code or access token. In particular, when using a refresh token in the Authorization Code Grant flow, if you receive a response with the interaction_required or invalid_grant error codes, discard the refresh token and request a new authorization code.

    Hope this will help.

    Thanks,
    Shweta

    ------------------------------------

    Please remember to "Accept Answer" if answer helped you.