Support for refresh tokens in ADFS 2.2 OAuth flow
Solution 1:
There is a configuration switch named IssueOAuthRefreshTokensTo on the ADFS relying party object which controls what type devices refresh tokens are emitted to. By default this value is set to "NoDevice" which implies that ADFS will not release refresh tokens. Possible values are
- NoDevice = never issue refresh tokens
- AllDevices = always issue refresh tokens
- WorkplaceJoinedDevices = only issue refresh tokens on workplace joined devices i.e. Ones that have been registered using the DRS service.
In addition to verifying if the relying party allows issuance of refresh tokens ADFS will also verify the following.
- The SSO token presented to ADFS will not expire before the access token to the RP expires. As long as you haven't changed the default configuration values and are coming in with a clean browser session ( i.e. no SSO cookie ) this case shouldn't come into play.
- The relying party is not marked to always required fresh credentials.
Can you also verify that you are sending a valid resource parameter in the authorization request?
ADFS has a debug log, If you can reproduce this behavior on a non-production system the easiest way to identify the issue might be to enable debug logs.
This article covers how to enable debug logs on an ADFS 2.0 system. ADFS 3.0 ( 2012 R2 ) is similar, the node names are slightly different and you don't need to enable WIF or WCF tracing in the config file.
http://social.technet.microsoft.com/wiki/contents/articles/1407.how-to-enable-debug-logging-for-active-directory-federation-services-2-0-ad-fs-2-0.aspx