Share via

Question about refresh tokens

G_Qin 26 Reputation points
2022-12-09T16:23:45.153+00:00

I have a question about Refresh/Session ids. I read about refresh and access tokens and their lifetime on learn.microsoft. From what I could understand, an access token lasts 24 hours and can be refreshed from a session id which lasts for 14 days. I'm confused about the inactive time, which is apparently 90 days.

How does a refresh token become inactive? To explain my situation, my Microsoft account was hacked last Thursday, where the email, password, phone, and other security details were all changed. I'm mainly concerned about my Minecraft account linked to the Microsoft account. I use a mod called Essentials, (https://essential.gg/en/), which allows you to switch accounts in the actual game, not the launcher. In the essentials config folder in the %appdata% .minecraft folder, there is a JSON file called microsoft_accounts. I found out that my refresh token expires at 1670730812 Unix time, which is tomorrow, December 10, at around 11 pm. My Minecraft account has a very valuable profile on server and is currently banned (unable to join the server) until next Thursday (December 15) at 7:22 pm est. If I am able to log on using Essentials, I would be able to salvage the profile.

All in all, im asking how a refresh token becomes inactive.
https://learn.microsoft.com/en-us/answers/questions/340205/for-how-long-i-can-keep-using-the-refresh-token.html
Looking at that post from a while ago, the second paragraph caught my attention. For the last week, I have been constantly checking if I still had access in Essentials, meaning that the 14 day countdown was still ticking. If I do not log on for the next 24 hours, will the key become inactive and will the timer increase to 90 days until I use it again?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
    2022-12-12T14:18:20.147+00:00

    Hi @G_Qin ,

    Thanks for reaching out.

    Your understanding is correct here.

    By default, Refresh token MaxInactiveTime will be 90 days and MaxAgeMultiFactor will be until revoked.
    As we are using the refresh token every day to get access token, means the refresh token should not expire (as MaxInactiveTime 90 days condition will never be met).

    However, you can revoke the refresh token at any time for signed in user using

    POST
    https://graph.microsoft.com/v1.0/me/revokeSignInSessions
    https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user/revokeSignInSessions

    which will revoke the refresh token and, the application will not be able to redeem the refresh tokens (long-lived tokens) to acquire new access tokens.

    Hope this will help.

    Thanks,
    Shweta

    -------------------------

    Please remember to "Accept Answer" if answer helped you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.