Does refresh token for non-SPA scenario has a sliding window lifetime?

Ingmar Shidqi 21 Reputation points
2024-02-23T03:48:11.35+00:00

It is mentioned in this documentation (https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens#token-lifetime) that the lifetime of the refresh token for platforms other than SPA is 90 days. It is also mentioned that for SPA platform the refresh token does not have a sliding window lifetime, but what about the other platforms e.g. Webapp?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
{count} votes

Accepted answer
  1. Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
    2024-02-26T06:30:47.5+00:00

    @Ingmar Shidqi

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking for advisory on extending lifetime of refresh token for web apps.

    Please do correct me if this is not the case by responding in the comments section.

    As per Refresh and session token lifetime policy properties

    Refresh and session token configuration are affected by the following properties and their respectively set values. After the retirement of refresh and session token configuration on January 30, 2021, Microsoft Entra ID will only honor the default values described below.

    If you decide not to use Conditional Access to manage sign-in frequency, your refresh and session tokens will be set to the default configuration on that date and you'll no longer be able to change their lifetimes.

    Any changes to this default period should be changed using **Conditional Access.

    Kindly follow Configure adaptive session lifetime policies to manage the lifetime of the refresh token.

    Update1:

    The refresh token is used to obtain new access and refresh token pairs when the current access token expires. If a user signed in on January 1st, 2024, the refresh token will be valid until 30 March (90 days). If the refresh token is used and the token is refreshed on February 1st, does the app get a new refresh token that is valid until the end of April or until the end of March (same as the first sign-in)?

    Once used to get a get a new access token and refresh token the new token will have validity of 90 days.


    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.