How to extend the expiry of access token so I don't have to refresh as often

Shankar, Pankaja 1 Reputation point
2022-12-06T15:01:03.827+00:00

Describe the Issue
Reason for this task, is so I can request for an Access Token on behalf of a non-person user account, completed upfront. This is so, I can use it, for accessing Sharepoint via Graph API and in my python script just use that in the header as a bearer token and access the Sharepoint files, lists etc., Then refresh token when it expires, for this I assumed using offline_access as Scope would yield longer token expiry duration, that way, I don't have to refresh token as often. But that doesn't seems to be the case...

Steps Taken:

In postman add a new request
Go to Authorization tab, set up the following:
Configuration Options:
Token Name: my-token-name
Grant Type: Authorization Code
Callback URL: http://localhost:8888
Auth URL: https;//login.microsoftonline.com/my-tenant-id/oauth2/v2.0/authorize
Access Token URL: https;//login.microsoftonline.com/my-tenant-id/oauth2/v2.0/token
Client ID: my-client-id
Client Secret: my-client-secret
Scope: sites.manage.all offline_access
State: 12345
Client Authentication: Send as Basic Auth header
Then click on 'Get New Access Token' button
When I get a pop to choose which email account I want to use and then further prompts to enter the uid/pwd as credentials. Then it proceeds to authenticate and Grants Consent and asks to Proceed.
All looks good
3. Then clicking on Proceed button behind the scenes Postman issues a Post request to the access token url and the response pops up.
4. On checking in the Postman console, I see two requests one GET and another POST
In the GET request I do see the request body scope as what I set in the Configuration Options in Step 2.
GET https://login.microsoftonline.com/......./oauth2/v2.0/authorize?response_type=code&client_id=......&state=12345&scope=sites.manage.all%20offline_access&redirect_uri=http%3A%2F%2Flocalhost%3A8888
but when I check the POST request I do not see the Scope being passed to it in the Request body nor as a query string parameter either.
POST Request Body
grant_type: "authorization_code"
code: "..."
redirect_uri: "http://localhost:8888"
client_id: "...."

FYI: client_id, code masked above

And so the expiry is not long enough, its about 4000-5000+ seconds. Reason for using offline_access in Scope, was because the documentation says that it gives longer period of expiration duration, and avoid having to refresh the token every so often in a day.
Screen shot of POST response is attached below...

Any help, is appreciated.
TIA
267688-access-token-resp.png

Microsoft Security | Microsoft Graph
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Bhanu Kiran 3,616 Reputation points
    2022-12-07T02:42:49.197+00:00

    Hello @Shankar, Pankaja ,

    The default lifetime of Access token is 60 minutes. As access tokens are not revoked, so extending the lifetime of access tokens are not recommended as malicious actor that has obtained an access token can use it for extent of its lifetime.

    For maximum security and flexibility, it is recommended to use combination of access token and refresh token. When the access token expires, the application can use the refresh token to obtain the new access token.

    To get the refresh token along with access token and ID tokens, you would need the scope as "offline_access" in your request. The default lifetime of refresh token is valid for 14 days and maximum lifetime is 90 days.

    Reference Articles: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow
    https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

    3 people found this answer helpful.
    0 comments No comments

  2. CarlZhao-MSFT 46,376 Reputation points
    2022-12-07T03:22:37.737+00:00

    Hi @Shankar, Pankaja

    The offline_access scope will only return a refresh token for you without extending the expiration time of your access token, and your access token will still expire after the default of 1 hour, even if you acquire a new access token with a refresh token.

    However, you can try creating a token lifetime policy to customize the lifetime of your access token to configure that your access token does not expire for a day (< 24 hours).

    Install-Module -Name AzureADPreview  
      
    Connect-AzureAD -Confirm  
      
    $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"23:59:59"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"  
      
    Get-AzureADPolicy -Id $policy.Id  
      
    # Get ID of the service principal  
    $sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '<service principal display name>'"  
      
    # Assign policy to a service principal  
    Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id  
    

    268064-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Shankar, Pankaja 1 Reputation point
    2022-12-09T15:10:05.077+00:00

    As the client policy is very stringent, I do not have admin privileges to do what you have suggested. Also, as per what I am told is its the company wide policy to not allow to make any such token policy changes. So not sure what else can be done to extend beyond one hour.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.