Generating a Refresh Token

Before generating the refresh token, generate the client ID and client secret as described in Registering an Application Using the SharePoint Online Portal.

To generate a refresh token, complete the following:

  1. Obtain the authorization code using the following request (this process involves user consent):

    1. Use the following format for the authorization URL:

      https://<your_site>.sharepoint.com/_layouts/15/OAuthAuthorize.aspx?client_id=client_GUID&scope=app_permissions_list&response_type=code&redirect_uri=redirect_uri

      URL parameter details:

      Copy 
      client_id=<clientId>
      &response_type=code
      &redirect_uri=<redirect_uri>
      &scope=offline_access%20https://graph.microsoft.com/.default

      Parameters details:

      The client ID of the registered application.

      For authorization code the value must be code.

      This should be the redirect URL configured while registering the application. This should be pointed to the local host and any unused port.

      You can add multiple scopes for defining the required API. You can also set the scope to AllSites.Manage.

      The default scope is offline_access%20https://graph.microsoft.com/.default.

      Scope URI

      Scope Alias

      Available Rights

      http://sharepoint/content/sitecollection

      Site

      Read, Write, and Manage

      http://sharepoint/content/sitecollection/web

      Web

      http://sharepoint/content/sitecollection/web/list

      List

      http://sharepoint/content/tenant

      All Sites

    2. If you haven't already signed in to the SharePoint site, navigate to the URL and sign in.

    3. Select Trust It to grant consent.

      The response in browser address bar will be displayed as follows:

      https://localhost/?code=PAQABAAEAAAD%2D%2DDLA3VO7QrddgJg7WevrYFFcg3I0SsVRqZUlJSPK7G%2Dg4NvlX9JtK3Q5H0RTtSD0Gmowaqid9ohxQjunSukFrvIz2px9c8V1Rm9X2khsWI1Q518jTZMS6Efi9yXoBgCJ4%2DKvcWsSf7whcrNhgabOM9zov1YoPtx0%2DzidfGBwpvcuXoUCNN4osm1lv0CW2Uwh0%2D91SadwJkx83itzQnD9hQwGWZPVVDdg%5FzEYibnoZV8N1el4hfoMKrOBib6ul1vBw1rhMt7kNcrHBs%5FYKs9OrhvOGCSUgKvQQ9qBwNjRZYOL8M7JVrcMFCgC70QliVMgShzjOUgMOmtx0qQcVFl4IAA

  2. Copy all the code after code=. This is the authorization code.

    Note
    The received authorization code can be used only once and is valid for a short duration.

  3. Obtain the refresh token using the authorization code obtained in the previous step. The authorization code and other parameters must be passed in the following request:

    Copy 
    curl --location --request GET 'https://accounts.accesscontrol.windows.net/dc75061d-64a1-405d-a746-465dece42192/tokens/OAuth/2' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-raw 'client_id=cd1e9fd9-55c2-4dae-833a-fbcc150f1fad%40dc75061d-64a1-405d-a746-465dece42192&scope=offline_access%20https://graph.microsoft.com/.default&code=PAQABAAEAAAD--DLA3VO7QrddgJg7WevroypXVs207MGJClcCv_vL0wh8CzS5lXCHANO-wqepUk6_PHHTl25FiADOITB5CSwV8PGTwpLRmnQC6VN-xnXC5JVcoebz-O66U7cqIJ8i2TRQ8E2dqyeR0fYplqvwNK58xncqZNb2arXq8f50MrCYknwzkvqdkV6LXeIpDvJI4agv962w7i_NbbuPA7x8ESs0V5qgV7RcFXBFZmCU1VrvXC7KdiwKatQqRqmgXpd58gvMAX0nVy3zaRfwTw7LB5-1wccgFs4Xyx3KbfPuoBXCMTYIuEmnQK5JtdU7qXpSwmpyIcx1nfoATUkP0UXxkGR3IAA&redirect_uri=https://localhost&grant_type=authorization_code&client_secret=eroXdRLYRI3HeGksVC0n9brERZwxjqggIGv%2F%2Bcsumrk%3D&resource=00000003-0000-0ff1-ce00-000000000000%2Fsailpointdev.sharepoint.com%40dc75061d-64a1-405d-a746-465dece42192'

    The newly added parameters are:

    The authorization code obtained in previous steps.

    If you intent to recover the authorization code it should be authorization_code.

    The client secret of the registered application.

    Response:

    Copy 
    {
        "token_type": "Bearer",
        "scope": "https://graph.windows.net/Directory.Read.All https://graph.windows.net/User.Read https://graph.windows.net/.default",
        "expires_in": 7199,
        "ext_expires_in": 7199,
        "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlNzWnNCTmhaY0YzUTlTNHRycFFCVEJ5TlJSSSIsImtpZCI6IlNzWnNCTmhaY0YzUTlTNHRycFFCVEJ5TlJSSSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0Iiwia...",
        "refresh_token": "OAQABAAAAAAAm-06blBE1TpVMil8KPQ410LOG6EPVxGfgH8rHUXApUs5fPFtel9FsKTXo2oN8Rw_ngEOpKNt1hfufYyJJnG39XxfscpcW...."
    }

  4. Copy the Refresh Token received in the response.