ADFS 3.0 OAuth refresh token expiration

Laszlo Penzes 1 Reputation point
2021-03-05T09:53:23.473+00:00

Hi,

I'm struggling with a problem at one of my customers. An external web application is querying a RESTful service which is secured by ADFS 3.0 (Windows Server 2012 R2).

I configured a Relying Party Trust and created a client application with a redirect uri.

  • User initiates logon within external web app (Cyclr integration tool)
  • On ADFS login dialog, types email/password and ticks "keep me signed in"
  • External web app receives authorization code
  • Using the auth code, gets a set of OAuth tokens (access and refresh token)
  • When access token expires, gets a new access token by using refresh token
  • When refresh token is about to expire, external web app should get a new refresh token as well, but it doesn't

I found documentation regarding ADFS 4.0 (Windows server 2016) only:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios

According to it, a refresh_token_expires_in parameter should be received and the client (int this case external web app) can get a new refresh token when the old one is about to expire. Now we don't receive any such parameter and can't get a new refresh token.

Is there a way to convince ADFS 3.0 to work as expected?

Thank you,
Laszlo

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,201 questions
0 comments