We have a feature that syncs calendar entries and contacts between our application and Office365, using the Office365 REST apis outlined here. We are using Version 1 of the API. For authorization we are performing authorization via Azure AD as outline here.
In the normal case (when using Office365 accounts purchased directly from Microsoft), our system works as expected: we are able to refresh the user's tokens when they expire and are returned a new access and refresh token in exchange.
In the second case, when testing with Office365 accounts purchased via GoDaddy, we encounter a blocking issue that can be outlined in this series of steps: 1. User is sent from our app -> Office365 Login page. 2. User enters email address 3. User is redirected to GoDaddy Office365 login page. 4. User completes authorization, and is redirected back to our app with an access code in the response. 5. App exchanges access code for an access_token and refresh_token from Office365. 6. Some time goes by, and access_token expires 7. App refreshes the user's access_token using the refresh_token
At this point we are expecting to receive a new access_token as well as a new refresh_token, as we do when using a regular Office365 account
Only for accounts purchased via GoDaddy, we do not receive a new refresh token in the response after refreshing for the first time.
Obviously when intending to have a long-running sync, this is a breaking case as the user will no longer be able to have their tokens refreshed beyond this point.
Postman traces (can save as .json and import to Postman for debugging https://gist.github.com/drunkel/7ec66ed33f66d0070148694651699d03 (IDs and secrets have been removed)
- Is this a known issue?
- Is there a workaround?