ASP.NET Azure AD refresh access token on expiration

Question

Hello,

I would like to ask some help with handling the access token expiration in my web app, that is using AzureAD to login.
It is an ASP.NET application (.net 4.7.2). On login the user is redirected to microsoft page, logs in, redirected back to the webapp with the valid access token, and can work for an hour, but when the token expires, and the user sends a request he will have to be redirected to MS and back again to get a new access token. This breaks the users workflow, especially if he is on a filled form, and the token expires right when he would post his data, he will have to fill the form again after the redirect puts him on the empty page.
My question: when i detect in the backend that the user is not authenticated any more, can i refresh his auth token seamlessly, without the need to redirect to MS and back, and once the new token is arrived, just process the pending request as if nothing happened? If not, can i somehow change the access token expiration from 1 hour to 8 or 12?
I have read some articles about using the access token and refresh token to do this, but i am using the OpenIdConnect middleware and not sure if i have a refresh token at all.

Thank you,
Bálint Keresztes

Answer 1

you are actually using standard cookie authentication with SSO. the lifetime of the cookie is tied to the token lifetime. the login token is only used to create the cookie. when the cookie expires, the browser does not include it in the request.

while you could request and store a refresh token on the server, when the the unauthenticated request comes, you do not know the identity of user. you would need to add a different cookie to store this or you would need to update the cookie before it expires. thus you would implement a sliding window. as you are using owin cookie, you need to code this yourself.