AD B2C: Extending token lifetime with custom policy does not work

metalheart 251 Reputation points
2023-03-14T13:51:43.74+00:00

I am wondering why changing the token lifetime in a custom policy as per [this article] doesn't work for me?

This is what I've done:

  1. Added this claims provider into TrustFrameworkExtensions.xml:
   <ClaimsProvider>
      <DisplayName>Token Issuer</DisplayName>
      <TechnicalProfiles>
         <TechnicalProfile Id="JwtIssuer">
            <Metadata>
               <Item Key="token_lifetime_secs">7200</Item>
               <Item Key="id_token_lifetime_secs">7200</Item>
   			<Item Key="refresh_token_lifetime_secs">1209600</Item>
               <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
               <!--<Item Key="allow_infinite_rolling_refresh_token">true</Item>-->
               <Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
            </Metadata>
         </TechnicalProfile>
      </TechnicalProfiles>
   </ClaimsProvider>
  1. Acquired the authorization code from: https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SignIn&client_id=<clientId>&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.io&scope=openid%20offline_access&response_type=code
  2. Redeemed the authorization code
   curl --request POST \
     --url https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/B2C_1A_SignIn/oauth2/v2.0/token \
     --header 'Content-Type: application/x-www-form-urlencoded' \
     --data client_id=<clientId> \
     --data code=<code> \
     --data 'scope=openid profile' \
     --data grant_type=authorization_code \
     --data redirect_uri=https://jwt.io \
     --data state=123 \
     --data 'client_secret=<clientSecret>'
  1. This is what I'm getting:User's image
Azure Active Directory External Identities
{count} votes

Accepted answer
  1. Shweta Mathur 12,906 Reputation points Microsoft Employee
    2023-03-17T07:08:43.41+00:00

    Hi @metalheart ,

    Thanks for reaching out.

    The above xml which you shared is an example to configure the token lifetime behavior only, to emit the changes you need to configure technical profile for a JWT token issuer.

    <TechnicalProfile Id="JwtIssuer">
      <DisplayName>JWT Issuer</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputTokenFormat>JWT</OutputTokenFormat>
      <Metadata>
        <Item Key="client_id">{service:te}</Item>
        <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
        <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
        <Item Key="token_lifetime_secs">7200</Item>
        <Item Key="id_token_lifetime_secs">7200</Item>
        <Item Key="refresh_token_lifetime_secs">1209600</Item>
        <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
        <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
      </CryptographicKeys>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />
    </TechnicalProfile>
    
    

    and then add that technical profile in the last step of your user journey to emit the JWT token.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile

    Hope this will help.

    Thanks,

    Shweta

0 additional answers

Sort by: Most helpful