OpenIdConnect access token and refresh token

A common case is using AzureAD via OpenIdConnect for login - and then wanting to consume GraphAPI services.

In order to consume GraphAPI, you will need a shortlived Access_token.

To get the fresh Access_token, you will need a Refresh_token.

To get the Refresh_token, you must do a call to the token-endpoint with the short-lived code you get when you login.

Turnkey will do all this for you and update the SysUserClaim object with a ClaimType access_token and refresh_token.

These will be fetched when you login.

The access_token is shortlived - you should renew it prior to new operations.

Turnkey can renew it if you add and later call a Method on SysUser:

OpenIdConnectAccessTokenRefresh():String (TV: Eco.ExternalLateBound) 

This will return an error or ok. If it is ok, the SysUserClaim object with a ClaimType access_token and refresh_token has been updated.

For this to work, you need to supply settings for OpenIdConnect.

  • (You must give the OpenID_TokenEndPoint, and OpenIDConnectScope must contain offline_access for AzureAD to issue refresh_token)
  • You should also set a value on SharedSecret in TurnkeySettings - this will be used to encrypt the temporary tokens stored in the db
This page was edited 21 days ago on 10/31/2024. What links here