Is there an expiration for refresh_token in Azure AD OAuth2

Question

From Microsoft Azure ActiveDirectory, I got a response containing refresh_token to my request to /token endpoint (OAuth2) it looks like this:

{
"access_token":"eyJ0eXAiOiJKV1QiLCJhb....",
"token_type":"Bearer",
"expires_in":"3599",
"expires_on":"1396069299",
"resource":"https://management.core.windows.net/",
"refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzj...",
"scope":"user_impersonation",
"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOi..."
}

So apparently refresh_token has no expiration and I can use it multiple times when I need a new access_token, is that correct?

Also, what is id_token for?

Answer 1

Refresh tokens do expire eventually (I'm not sure when), and you should probably not take a dependency on them lasting forever. (Also, duplicate of this.)

Besides the access_token, the id_token is probably the most interesting part of the token response. It contains a JSON Web Token (JWT) with information (claims) about the currently logged in user. Once you open it up (and validate it), you'll find information about the user such as username, first and last name, tenant ID, and user object ID. This will be very useful if later you intend on querying the Azure AD Graph API to get more information.

Be sure to check out Vittorio's blog post on why it's important to validate the tokens: Principles of Token Validation. If you're on .NET, there's a handy JSON Web Token Handler (Nuget, Github).