The Token Refresher Service is responsible for acquiring new access and identity tokens using an existing refresh token when previously issued access tokens have expired. It encapsulates the logic required to interact with the token endpoint and to update the application's token state accordingly.

The service does not initiate authentication flows. It operates only when a refresh token is available and token refresh is required.

• Refresh access and identity tokens using a valid refresh token
• Interact with the token endpoint using the OAuth 2.0 refresh token grant
• Update the Access Token and Identity Token using the token store with newly issued tokens
• Update the Refresh Token Store when a new refresh token is returned
• Notify the application authentication infrastructure when the authenticated user state changes

The Token Refresher Service is defined by the ITokenRefresher interface.

• RefreshTokensAsync: Refreshes tokens using the provided refresh options and returns a value indicating whether the refresh operation succeeded

The default implementation, Token Refresher, coordinates several supporting services to perform token refresh operations:

• It retrieves the refresh token either from the provided refresh options or from the Refresh Token Store
• It resolves the token endpoint using the Endpoint Service
• It sorts requested scopes using the Scope Sorter to ensure correct token requests
• It sends refresh token requests using the HTTP Service
• It validates and stores returned access and identity tokens using the Token Store
• It updates the Refresh Token Store if a new refresh token is issued
• It notifies the Authentication State Notifier when the authenticated user identity changes

Identity tokens are validated to ensure that the aud claim matches the configured client ID before being stored. Access tokens are stored only when resource scopes are present in the refresh request.

The default implementation supports refresh operations across multiple scope groups and updates token state incrementally for each group.

• Token Store
• Refresh Token Store
• Scope Sorter
• Endpoint Service
• HTTP Service
• Authentication State Notifier

• OAuth 2.0 Refresh Token Grant: https://datatracker.ietf.org/doc/html/rfc6749#section-6
• Microsoft identity platform protocol documentation: https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow