B2c: Refresh Token is returned via PKCE flow even without providing 'offline_access' as a scope

Tobias Schmidt 76 Reputation points

The title already describes the whole problem.

We don't face this issue when using implicit or ROPC flows.

I found a StackOverflow post also describing the same issue with no real answers:

We're using a custom policy, but this should not have an impact as there's no way to configure this behavior, no?

Edit: if openid is not provided as a scope, the id token is not returned as expected.
So this is solely an issue with the refresh token.

Azure Active Directory External Identities
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 5,916 Reputation points Microsoft Employee

    Hello @Tobias Schmidt

    Thanks for posting your query on Microsoft Q&A. As per B2C Token lifetime behavior if your application had been granted the offline_access scope. The default is 14 days. The minimum (inclusive) is one day. The maximum (inclusive) 90 days.

    However Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation.


    As per: https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#overview-of-the-solution Refresh tokens issued through the authorization code flow to spa redirect URIs have a 24-hour lifetime rather than a 90-day lifetime.

    Yes, this the behavior emitted. As per https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-spa#authorization-code-flow-with-pkce :

    OAuth 2.0 Authorization code flow (with PKCE) allows the application to exchange an authorization code for ID tokens to represent the authenticated user and Access tokens needed to call protected APIs. In addition, it returns Refresh tokens that provide long-term access to resources on behalf of users without requiring interaction with those users.

    Please do let me know if you have any further queries in the comments section.

    Akshay Kaushik

    Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well

0 additional answers

Sort by: Most helpful