AD B2C: Extending token lifetime with custom policy does not work

metalheart 361 Reputation points
2023-03-14T13:51:43.74+00:00

I am wondering why changing the token lifetime in a custom policy as per [this article] doesn't work for me?

This is what I've done:

  1. Added this claims provider into TrustFrameworkExtensions.xml:
   <ClaimsProvider>
      <DisplayName>Token Issuer</DisplayName>
      <TechnicalProfiles>
         <TechnicalProfile Id="JwtIssuer">
            <Metadata>
               <Item Key="token_lifetime_secs">7200</Item>
               <Item Key="id_token_lifetime_secs">7200</Item>
   			<Item Key="refresh_token_lifetime_secs">1209600</Item>
               <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
               <!--<Item Key="allow_infinite_rolling_refresh_token">true</Item>-->
               <Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
            </Metadata>
         </TechnicalProfile>
      </TechnicalProfiles>
   </ClaimsProvider>
  1. Acquired the authorization code from: https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SignIn&client_id=<clientId>&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.io&scope=openid%20offline_access&response_type=code
  2. Redeemed the authorization code
   curl --request POST \
     --url https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/B2C_1A_SignIn/oauth2/v2.0/token \
     --header 'Content-Type: application/x-www-form-urlencoded' \
     --data client_id=<clientId> \
     --data code=<code> \
     --data 'scope=openid profile' \
     --data grant_type=authorization_code \
     --data redirect_uri=https://jwt.io \
     --data state=123 \
     --data 'client_secret=<clientSecret>'
  1. This is what I'm getting:User's image
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,633 questions
Accepted answer
  1. Shweta Mathur 27,141 Reputation points Microsoft Employee
    2023-03-17T07:08:43.41+00:00

    Hi @metalheart ,

    Thanks for reaching out.

    The above xml which you shared is an example to configure the token lifetime behavior only, to emit the changes you need to configure technical profile for a JWT token issuer.

    <TechnicalProfile Id="JwtIssuer">
  <DisplayName>JWT Issuer</DisplayName>
  <Protocol Name="OpenIdConnect" />
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="client_id">{service:te}</Item>
    <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
    <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
    <Item Key="token_lifetime_secs">7200</Item>
    <Item Key="id_token_lifetime_secs">7200</Item>
    <Item Key="refresh_token_lifetime_secs">1209600</Item>
    <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
    <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
  </CryptographicKeys>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />
</TechnicalProfile>

    and then add that technical profile in the last step of your user journey to emit the JWT token.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile

    Hope this will help.

    Thanks,

    Shweta

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest