No way to Initialize the AuthorizationCodeProvider using a valid RefreshToken

[heyalistair]

I'm opening an issue from the now-archived msgraph-sdk-java-auth repo here, as I can't comment on it.

Expected behavior

In situations where you have already persisted the AccessToken (First Time Retrieved) and refreshToken in the database for future use, there should be a way to initialize the AuthorizationCodeProvider with a RefreshToken directly instead of AuthorizationCode .
The feature request is analogous to what is available in google-oauth library with Credential Class.

The version of msgraph-sdk-java 3.0.0. Is this resolved in this release?

AB#8614

[baywet]

Hey @heyalistair ,
Thanks for reaching out.
This really depends on your authentication scenario/flow. As a general rule of thumb, Azure identity which uses MSAL under the covers has a token cache and renews tokens automatically. This token cache can be persisted in case the app needs to go offline.
In any case, that's a question you should ask on the azure identity repo providing more information about your scenario.

[heyalistair]

Azure identity which uses MSAL under the covers has a token cache and renews tokens automatically. This token cache can be persisted in case the app needs to go offline.

@baywet Thanks ok, that sounds exactly what I need to do in my case. Will take a closer look at azure identity repo. Congrats on the major release.

[baywet]

thank you very much for the original feedback, the patience and the kind words! Let us know if you find anything with v3. Closing.

[heyalistair]

Ok just a little update as I've been playing around with v3.0.0 and doing a deep dive on Azure/azure-sdk-for-java and in turn AzureAD/microsoft-authentication-library-for-java. In the latter, I do see examples showing how I can make the credentials persist across instances of my application, so I would be able to code up a custom implementation there. Once I finish that, I believe it's possible to build a custom IAuthenticationProvider by extending BaseAuthenticationProvider.

Ultimately, it seems like this is an area of active work and that there are some related features for this stuff in the pipeline here: Azure/azure-sdk-for-java#19734 I don't think I have the time to implement all of this, so I think I will just change my requirements and do it another way.

I would have thought my use case, authenticating using a refresh token, was very common. This would help me maintain offline access and access between different instances of my applications. It seems strange to me that there is no easy way to do this.

For the record, Google provides a good solution of this in their OAuth2 implementation, with their DataStore and DataStoreFactory

[baywet]

Thanks a lot for sharing this additional information with others.
FYI we're working with the MSAL team so they update their samples that call MS Graph to v3. During this work they'll provide example implementations of authentication providers with MSAL. We expect that work to land in the next few weeks.

The MSAL team is also working with the Azure identity one to make sure factories are exposed so customers can make use of Azure Identity and highly customize MSAL, which is a difficult point today.

And yes, both Azure identity and MSAL for java are pretty much work in progress on a number of features. But feedback like yours helps prioritize work so don't hesitate to leave a comment in those repos. They also do accept pull requests :)

Lastly, one of the reasons why initiating the context from a refresh token hasn't been possible historically is because a compromised refresh token is much worse than a compromised access token. Customers have to make sure those refresh tokens are safely stored, etc. Instead of providing those capabilities from day one, which would be like handing customers a gun to shoot themselves in the foot, the strategy has been to make sure libraries support the scenario of safely storing the refresh token and getting an access token automatically for customers, encapsulating away some of the complexity.
Arguably the libraries are not there yet in Java. Some other languages already have support with storage providers in Azure KeyVault (backend apps scenarios)

I hope this shine lights on "how we got to this current situation" :)

[heyalistair]

FYI we're working with the MSAL team so they update their samples that call MS Graph to v3. During this work they'll provide example implementations of authentication providers with MSAL. We expect that work to land in the next few weeks.

An updated of that document would be great! I'll keep an eye out for it.

And thanks for the additional infomation! Yes, good point about the refresh tokens, you really cannot be too careful with them.