Steffen,
I have found that when my Microsoft oauth2 refresh token expires, the
oauth2-helper.py program doesn't get me a new one. The song and dance
with typing a code into a browser window gets a new access token, but no
new refresh token.
The reason is that in order to get a refresh token, your resource file
has to include "offline_access" in its scope. However, when you
authorize with Microsoft they produce a response that doesn't include
"offline_access" in its scope, even if the resource file that you are
starting with does. The helper program produces a template that
includes "offline_access" and so you do get a refresh token when you
start from scratch. But the resource file that your first authorization
produces doesn't have "offline_access", so when its refresh token
eventually expires, you don't get a new one.
I have found several Microsoft pages that confirm this behavior, but I
don't understand their explanation for it - I get a headache trying.
However, there appears to be simple solution: ignore the scope in the
response from Microsoft and keep the scope you already have. I have
attached a patch that comments out a couple of lines in the helper
program to achieve that. It seems to work for me. I note that you
already describe the lines I have commented out as "optional". It looks
as if they are in fact positively harmful.
Stephen Isard
--- ./s-nail-oauth-helper.py 2025/05/17 19:40:51 1.1
+++ ./s-nail-oauth-helper.py 2025/05/17 19:43:23
@@ -342,8 +342,8 @@
# OPTIONAL
if resp.get('refresh_token'):
cfg['refresh_token'] = resp.get('refresh_token')
- if resp.get('scope'):
- cfg['scope'] = resp.get('scope')
+ #if resp.get('scope'):
+ # cfg['scope'] = resp.get('scope')
print('%s' % cfg['access_token'])
return config_save(args, cfg, dt)
