My colleague and I are trying to enable OAuth in ADFS 2.2. Everything is working except the server only passes back an access token (w/ expiration) and does not include a refresh token after successful login. There is very little documentation on this, but does anyone know what setting needs to be updated to return refresh tokens?
Edit: The proposed OAuth 2.0 spec states:
Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token
Since I am receiving an access token, but no refresh token, and since ADFS currently only implements OAuth's code flow, my guess is the ADFS team chose not to return refresh tokens. I would love to hear this definitively though.
Edit: Like Travis said below, make sure
- RP's
IssueOAuthRefreshTokensTois set correctly - RP's
AlwaysRequireAuthenticationis false - RP's
TokenLifetimeis lower than ADFS'SSOLifetime
Best Answer
There is a configuration switch named IssueOAuthRefreshTokensTo on the ADFS relying party object which controls what type devices refresh tokens are emitted to. By default this value is set to "NoDevice" which implies that ADFS will not release refresh tokens. Possible values are
In addition to verifying if the relying party allows issuance of refresh tokens ADFS will also verify the following.
Can you also verify that you are sending a valid resource parameter in the authorization request?
ADFS has a debug log, If you can reproduce this behavior on a non-production system the easiest way to identify the issue might be to enable debug logs.
This article covers how to enable debug logs on an ADFS 2.0 system. ADFS 3.0 ( 2012 R2 ) is similar, the node names are slightly different and you don't need to enable WIF or WCF tracing in the config file.
http://social.technet.microsoft.com/wiki/contents/articles/1407.how-to-enable-debug-logging-for-active-directory-federation-services-2-0-ad-fs-2-0.aspx