This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 61%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
The title already describes the whole problem.
We don't face this issue when using implicit or ROPC flows.
I found a StackOverflow post also describing the same issue with no real answers:
azure-ad-provides-refresh-token-even-i-dont-request-and-permissions-does-not-ha
We're using a custom policy, but this should not have an impact as there's no way to configure this behavior, no?
Edit: if openid is not provided as a scope, the id token is not returned as expected.
So this is solely an issue with the refresh token.
Hello @Tobias Schmidt
Thanks for posting your query on Microsoft Q&A. As per B2C Token lifetime behavior if your application had been granted the offline_access scope. The default is 14 days. The minimum (inclusive) is one day. The maximum (inclusive) 90 days.
However Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation.
As per: https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#overview-of-the-solution Refresh tokens issued through the authorization code flow to spa redirect URIs have a 24-hour lifetime rather than a 90-day lifetime.
Yes, this the behavior emitted. As per https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-spa#authorization-code-flow-with-pkce :
OAuth 2.0 Authorization code flow (with PKCE) allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs. In addition, it returns Refresh tokens that provide long-term access to resources on behalf of users without requiring interaction with those users.
Please do let me know if you have any further queries in the comments section.
Thanks,
Akshay Kaushik
Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well
Hi Akshay,
Thanks for the answer.
"had been granted the offline_access scope" is false in our case. We still get a refresh token.
Either way: even if the scope 'offline_access' is granted but the client does not send the scope with the token request, he should never get a refresh token back.
We're getting a refresh token in both cases:
Hello @Tobias Schmidt ,
Yes, this the behavior emitted. As per https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-spa#authorization-code-flow-with-pkce :
OAuth 2.0 Authorization code flow (with PKCE) allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs. In addition, it returns Refresh tokens that provide long-term access to resources on behalf of users without requiring interaction with those users.
Let me know if you have any further queries.
Thanks,
Akshay Kaushik
Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well
Hello @Tobias Schmidt ,
Hope you got a chance to review the answer posted above, please do let me know if you have any further queries in the comments section.
Thanks,
Akshay Kaushik
Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well