We are developing a multi-tenant web application. Our tenants will be using Windows Azure Active Directory for authentication. We are using OWIN OpenIdConnect middleware to authenticate users. The response we receive after authentication process has id_token and authorization code.

We also want to get the refresh token so that we can acquire new tokens once the id_token expires. Therefore in AuthorizationCodeReceived handler we use AcquireTokenByAuthorizationCode method in ADAL library to acquire the refresh token. The response contains id_token, access_token and refresh_token.

We then subsequently use refersh_token to get the new id_token however the response contain only renewed access_token but not a renewed id_token. Is it possible to refresh id_token or we can only refresh access_token? The code snipped for Authorization code received handler is shown as below.

AuthorizationCodeReceived = (context) =>
{
    string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + "/";
    var code = context.Code;
    string clientSecret = ConfigurationManager.AppSettings["ida:Password"];
    ClientCredential credential = new ClientCredential(clientId, clientSecret);
    string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
    string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
    MAuthenticationContext authContext = new MAuthenticationContext(string.Format("https://login.windows.net/{0}", tenantID), null);
    AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
                code, new Uri(appBaseUrl), credential, "https://graph.windows.net");

    AuthenticationResult refreshTokenResult = authContext.AcquireTokenByRefreshToken(result.RefreshToken, credential);

    return Task.FromResult(0);
},

In general you cannot use a refresh_token to renew an id_token because an id_token represents user authentication, information that cannot be refreshed without the user present. The way to refresh an id_token is described in the Session Management draft of OpenID Connect (http://openid.net/specs/openid-connect-session-1_0.html) i.e. by sending the user (agent) off to the authorization endpoint again with an authentication request that may include "prompt=none" if you want no user interaction but just check with the OP for an existing SSO session.

The Session Management capability as described in the draft spec is supported by Azure AD. If you want to synchronize the OP session with your application session that is the way to go. OTOH you may choose to have an application session that independent of the OP session, using it's own session timeout and duration, in which case there's no reason to refresh the id_token. The id_token is then only use to bootstrap the application session which then lives on it's own.

Also: the AcquireTokenByRefreshToken is really a manual fallback in case there's something in ADAL's automatic cache management that you don't want to execute. In general every call to AcquireToken* (apart from AcquireTokenByRefreshToken) will use the refresh token automatically if there's need and a valid one in cache. Unless you are really in special cases, I would advise against ever using AcquireTokenByRefreshToken