Azure-docs: Refresh Token in other policies
This ropc policy configures a user journey to redeem a refresh token in JwtIssuer technical profile by setting RefreshTokenUserJourneyId. Can this approach be used for custom singin/signup policies as well? Or is this a specific feature for ropc? Is there any other documentation about RefreshTokenUserJourneyId, because this is the only place I could find where this is ever mentioned.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: c21f5240-6fe2-41ec-293a-2e3b33522706
- Version Independent ID: 095c2d6b-8691-74b6-99d5-db0ee1017194
- Content: Configure the resource owner password credentials flow with custom policies - Azure AD B2C
- Content Source: articles/active-directory-b2c/ropc-custom.md
- Service: active-directory
- Sub-service: b2c
- GitHub Login: @msmimart
- Microsoft Alias: mimart
HWouters
All 8 comments
@HWouters Thanks for your feedback! We will investigate and update as appropriate.
SaurabhSharma-MSFT
on 18 May 2020
@HWouters It can be used in any case.. All we are doing is specifying a user journey that should be executed when we are redeeming the refresh token to get new access token. Please check this
Ref: Define a technical profile for a JWT token issuer
SaurabhSharma-MSFT
on 28 May 2020
Thank you for answering @SaurabhSharma-MSFT !
HWouters
on 28 May 2020
@HWouters We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.
SaurabhSharma-MSFT
on 28 May 2020
A problem occurs when you are trying to get custom claims from claim providers during your journey. It actually does not update them, although the new claims are requested, for example with REST API provider.
Imagine that you’re getting a claim from your API. You will get a claim but it’s value will be the same as retrieved on generating first id_token. Refreshing it will not update that claim (but it will be requested - we see logs in the API).
I think we should reopen this ticket and discuss if this behaviour is by design.
matjanos
on 3 Jun 2020
@matjanos I have experienced the same issue. It seems the claims requested by a refresh token are never updated. Notice it's not only the case with claims requested by rest api, but also with build in claims like displayname. If you change the displayname in ad, it won't update the name claim in your idtoken. When you display the name of the signed in user in your application it will always show the old name, until the user actively do a signout and a new interactive signin.
The only useful thing I could do with this refresh user journey is checking if the refresh token is not revoked. Unfortunately if you don't do this, users can keep using their refresh token. Not being able to revoke refresh tokens, seem to me a security issue.
The thing I haven't tried is removing the user from ad. I wouldn't be surprised the refresh token is still giving back a new token with original old claims...
HWouters
on 4 Jun 2020
@SaurabhSharma-MSFT can this reopened the for the reasons given by @matjanos. Specifically, is this (not updating the claims returned in the token) behaviour by design?
worldspawn
on 27 Aug 2020
@SaurabhSharma-MSFT, can we consider reopening this issue?
matjanos
on 2 Dec 2020
Related issues
DeepPuddles
·
3Comments
spottedmahn
·
3Comments
jebeld17
·
3Comments
jharbieh
·
3Comments
JeffLoo-ong
·
3Comments
Most helpful comment
A problem occurs when you are trying to get custom claims from claim providers during your journey. It actually does not update them, although the new claims are requested, for example with REST API provider.
Imagine that you’re getting a claim from your API. You will get a claim but it’s value will be the same as retrieved on generating first id_token. Refreshing it will not update that claim (but it will be requested - we see logs in the API).
I think we should reopen this ticket and discuss if this behaviour is by design.