OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.0.6
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-2243
MS365 Mail Service - Update refresh token automatically to avoid expiration (OD-2243)
empinator opened 1 year ago

Hi Robin,

we have a Mail Service as type MS365. We observed that when the refresh token hits its time out (seems like 90 days), the connection fails, and we need to press the 'refresh the refresh token'-button on the right of the according field.

We have provided the secret as well, so we were wondering if this could happen automatically? I must admit, that I am no auth expert though.

Thank you.

  • Robin Shen commented 1 year ago

    Seems that refresh token must been renewed manually. You may set up a cron job to notify periodically in case it expires.

  • empinator commented 1 year ago

    I thought that the secret can be used to get a new refresh token?

  • Robin Shen commented 1 year ago

    As far as I know, this is not doable programmatically.

  • jbauer commented 1 year ago

    Usually with OAuth, if you use the refresh token to gain a new access token the response also contains a new refresh token and the old refresh token should be deleted. Some providers revoke/invalidate the refresh token as soon as you used it to ensure that you cannot use it again (replay attacks). For these providers you are basically forced to use the newly provided refresh token. MS doesn't seem to do that yet.

    https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens

    Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials.

  • Robin Shen commented 1 year ago

    Thanks for the info. Will check this out.

  • Robin Shen changed title 12 months ago
    Previous Value Current Value 
    MS365 Mail Service - Refresh token not updating automatically
    		 
    MS365 Mail Service - Update refresh token automatically to avoid expiration
  • Robin Shen changed fields 12 months ago
    Name Previous Value Current Value 
    Type
    		 
    Question
    		 
    Improvement
  • OneDev changed state to 'Closed' 12 months ago
    Previous Value Current Value 
    Open
    		 
    Closed
  • OneDev commented 12 months ago

    State changed as code fixing the issue is committed (23ebef3d)

  • OneDev changed state to 'Released' 12 months ago
    Previous Value Current Value 
    Closed
    		 
    Released
  • OneDev commented 12 months ago

    State changed as build OD-5855 is successful

issue 1/1
Type
Improvement
Priority
Normal
Assignee
Robin Shen
Labels
No labels
Issue Votes (0)
Login to vote
Watchers (4)
Reference
OD-2243
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover