184.108.40.206.3.3 Processing Details
The client first requests a primary refresh token from the server as defined in sections 220.127.116.11.2 and 18.104.22.168.2. It then uses the Primary Refresh Token ADM element (section 3.1.1) to populate the refresh_token field in this request for the access token.
The client derives a signing key from the Session Key ADM element (section 3.1.1), the constant label "AzureAD-SecureConversation", and the ctx value provided in the JWT header of the request by using the process described in [SP800-108]. The client uses this signing key to sign the request.