Unable to renew microsoft access token after expiry

[jimmythedog]

When using the microsoft connector, the following error appears when trying to request a new token, after the access token has expired

"token expired and refresh token is not set"

• To clarify, I'm NOT talking about when the dex token expires, I'm talking about the connectorData.accessToken expiry time in the persisted refreshtoken
• This looks like it's because there is no refreshToken value in the k8s refreshtoken's connector data
  • e.g. kubectl -n dex describe refreshtoken -o jsonpath="{.connectorData}" REFRESH_TOKEN_ID| base64 --decode contains an empty refreshToken
  • further investigation reveals that the scope parameter the microsoft authorize request, only contains the user and directory scopes - not the offline_access scope

The following patch has fixed the problem for us:

diff --git a/connector/microsoft/microsoft.go b/connector/microsoft/microsoft.go
index ad6b3e7..cdea839 100644
--- a/connector/microsoft/microsoft.go
+++ b/connector/microsoft/microsoft.go
@@ -93,6 +93,10 @@ func (c *microsoftConnector) oauth2Config(scopes connector.Scopes) *oauth2.Confi
                microsoftScopes = append(microsoftScopes, scopeGroups)
        }
 
+       if scopes.OfflineAccess {
+               microsoftScopes = append(microsoftScopes, "offline_access")
+       }
+
        return &oauth2.Config{
                ClientID:     c.clientID,
                ClientSecret: c.clientSecret,

[srenatus]

Good find! Thank you. Would you mind opening a pull request with that?

[jimmythedog]

No problem - all done, let me know if you need me to do anything else/different

[RichardLindhout]

Not sure if your code fixed the problem. Still got failed to refresh identity: microsoft: get user: get URL Get https://graph.microsoft.com/v1.0/me?$select=id,displayName,userPrincipalName: oauth2: token expired and refresh token is not set

[jimmythedog]

@RichardLindhout did you get a new refresh token?

If so, what is the output from: kubectl -n DEX_NAMESPACE get refreshtoken -o jsonpath="{.connectorData}" YOUR_REFRESH_TOKEN | base64 --decode | jq ".refreshToken"?
Is it empty?

[RichardLindhout]

This is the code I've changed: RichardLindhout@54d6934.

Your command does not work, because we have a postgres database I guess.
Also I got the error when I want tenants to accept our application:

We have one accepted tenant and it works there. Maybe we should add the offline access in more places.

Maybe multiple tenants are not allowed? I did not configure a tenant so everyone should be allowed to accept it. We're getting a Bad Session error.
https://login.microsoftonline.com/TENANT_ID.onmicrosoft.com/adminconsent?client_id=...........

[jimmythedog]

I guess there are other problems in the code then, as the fix works fine for us

[RichardLindhout]

Hmmm.

[RichardLindhout]

Strange then. Can't wrap my head around it.

[RichardLindhout]

time="2019-05-13T09:48:32Z" level=error msg="failed to refresh identity: microsoft: get user: get URL Get https://graph.microsoft.com/v1.0/me?$select=id,displayName,userPrincipalName: oauth2: token expired and refresh token is not set"

Same as before merging the pull request.

[RichardLindhout]

@jimmythedog It's something else. I don't get a state parameter back from the admin consent. Thanks for your work btw ;)