3.1.5.1.3.3 Processing Details

The client first requests a primary refresh token from the server as defined in sections 3.1.5.1.2 and 3.2.5.1.2. It then uses the Primary Refresh Token ADM element (section 3.1.1) to populate the refresh_token field in this request for the access token.

The client derives a signing key from the Session Key ADM element (section 3.1.1), the constant label "AzureAD-SecureConversation", and the ctx value provided in the JWT header of the request by using the process described in [SP800-108]. The client uses this signing key to sign the request.