edits

Author: v-thepet

articles/app-service/configure-authentication-oauth-tokens.md

@@ -14,7 +14,7 @@ This article shows you how to manage OAuth tokens when you use [built-in authent
 
 ## Retrieve tokens in app code
 
-Provider-specific tokens are injected into the request header from your server code so you can easily access them. To get the provider-specific tokens, send an HTTP `GET` request to `/.auth/me`from your client code, such as a mobile app or in-browser JavaScript. [Token store](overview-authentication-authorization.md#token-store) must be enabled for the app. The returned JSON has the provider-specific tokens.
+Provider-specific tokens are injected into the request header from your server code so you can easily access them. To get the provider-specific tokens, send an HTTP `GET` request to `/.auth/me`from your client code, such as a mobile app or in-browser JavaScript. [Token store](overview-authentication-authorization.md#token-store) must be enabled for the app. The returned JSON contains the provider-specific tokens.
 
 > [!NOTE]
 > Access tokens are for accessing provider resources, so are present only if you configure your provider with a client secret.
@@ -33,20 +33,20 @@ The following table lists possible token headers from several providers:
 
 ## Refresh auth tokens
 
-The following information refers to refreshing provider tokens, not [session tokens](#extend-session-token-expiration-grace-period). If your provider's access token expires, you need to reauthenticate the user before you can use that token again.
+The following information refers to provider tokens. For session tokens, see [Extend session token expiration grace period](#extend-session-token-expiration-grace-period).
 
-You can avoid token expiration by making a `GET` call to the `/.auth/refresh` endpoint of your application. When called, App Service automatically refreshes the access tokens in the [token store](overview-authentication-authorization.md#token-store) for the authenticated user. Subsequent requests for tokens get the refreshed tokens.
+If your provider's access token expires, you must reauthenticate the user before you can use that token again. You can avoid token expiration by making a `GET` call to the `/.auth/refresh` endpoint of your application.
 
-For token refresh to work, the token store must contain [refresh tokens](/entra/identity-platform/refresh-tokens) for your provider. Each provider documents the way to get their refresh tokens. The following table provides a brief summary:
+When called, App Service automatically refreshes the access tokens in the [token store](overview-authentication-authorization.md#token-store) for the authenticated user. Subsequent requests for tokens get the refreshed tokens.
 
-| Provider | Refresh token |
+For token refresh to work, the token store must contain [refresh tokens](/entra/identity-platform/refresh-tokens) from your provider. Each provider documents how to get their refresh tokens. The following table provides a brief summary:
+
+| Provider | Get refresh token |
 |-|-|
-| Microsoft | Follow the procedure in [Get Microsoft refresh tokens](#get-microsoft-refresh-tokens). |
+| Microsoft | Follow the procedure in [Configure App Service to return a usable access token](scenario-secure-app-access-microsoft-graph-as-user.md#configure-app-service-to-return-a-usable-access-token). The scope that gives you a refresh token is [offline_access](/entra/identity-platform/scopes-oidc#the-offline_access-scope). App Service already requests other scopes by default. For more information, see [OpenID Connect Scopes](/entra/identity-platform/scopes-oidc#openid-connect-scopes).|
 | Facebook | Doesn't provide refresh tokens. Long-lived tokens expire in 60 days. For more information, see [Long-Lived Access Tokens](https://developers.facebook.com/docs/facebook-login/guides/access-tokens/get-long-lived/). |
 | Google | Append an `access_type=offline` query string parameter to your `/.auth/login/google` API call. For more information, see [Google Refresh Tokens](https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens).|
-| X | Access tokens don't expire. For more information, see [OAuth FAQ](https://developer.x.com/en/docs/authentication/faq)). |
-
-After your provider is configured, you can [find the refresh token and the expiration time for the access token](#retrieve-tokens-in-app-code) in the token store.
+| X | Access tokens don't expire. For more information, see [OAuth FAQ](https://developer.x.com/en/docs/authentication/faq). |
 
 To refresh your access token at any time, call `/.auth/refresh` in any language. The following snippet uses jQuery to refresh your access tokens from a JavaScript client.
 
@@ -61,36 +61,18 @@ function refreshTokens() {
 }
 ```
 
-If a user revokes the permissions they granted to your app, your call to `/.auth/me` might fail with a `403 Forbidden` response. To diagnose errors, check your application logs for details.
-
-### Get Microsoft refresh tokens
-
-To get the refresh tokens, take the following steps in [Azure Resource Explorer](https://resources.azure.com).
+Once you configure your provider, you can find the refresh token and the expiration time for the access token by using the headers listed in [Retrieve tokens in app code](#retrieve-tokens-in-app-code).
 
-1. At the top of the pane, select **Read/Write**.
-1. In the left pane, expand **subscriptions** > **\<subscription name>** > **resourceGroups** > **\<resource-group-name>** > **providers** > **Microsoft.Web** > **sites** > **\<app-name>** > **config** > **authsettingsV2**.
-1. Select **Edit**.
-1. Modify the following `loginParameters` property:
-
-   ```json
-   "identityProviders": {
-     "azureActiveDirectory": {
-       "login": {
-         "loginParameters": ["scope=openid profile email offline_access"]
-       }
-     }
-   }
-   ```
-
-1. Select **Put**.
-
-The scope that gives you a refresh token is [offline_access](/entra/identity-platform/scopes-oidc#the-offline_access-scope). The other scopes are already requested by App Service by default. For information on these default scopes, see [OpenID Connect Scopes](/entra/identity-platform/scopes-oidc#openid-connect-scopes).
+>[!NOTE]
+>If a user revokes the permissions they granted to your app, your call to `/.auth/me` might fail with a `403 Forbidden` response. To diagnose errors, check your application logs for details.
 
 ## Extend session token expiration grace period
 
-The authenticated session expires after 8 hours, and a 72-hour default grace period follows. Within this grace period, you can refresh the session token with App Service without reauthenticating the user. Call `/.auth/refresh` when your session token becomes invalid, and you don't need to track token expiration yourself. When the 72-hour grace period lapses, the user must sign in again to get a valid session token.
+The authenticated session expires after 8 hours, and a 72-hour default grace period follows. Within this grace period, you can refresh the session token with App Service without reauthenticating the user.
+
+Call `/.auth/refresh` when your session token becomes invalid, and you don't need to track token expiration yourself. When the 72-hour grace period lapses, the user must sign in again to get a valid session token.
 
-If you need a longer expiration window than 72 hours, you can extend it. Extending the expiration for a long period could have significant security implications if an authentication token is leaked or stolen. It's best to leave the setting at the default 72 hours or set the extension period to the smallest possible value.
+If you need a longer expiration window than 72 hours, you can extend it, but extending the expiration for a long period could have significant security implications if an authentication token is leaked or stolen. It's best to leave the setting at the default 72 hours or set the extension period to the smallest possible value.
 
 To extend the default expiration window, run the following Azure CLI command in [Azure Cloud Shell](../cloud-shell/overview.md):