MSAL Expiration after a day

Shivam Pandey 0 Reputation points

After 24 hours, my refresh token expires. I have attempted to obtain a new access token once it expires, but unfortunately, I have been unsuccessful in obtaining a new access token.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,534 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee

    @Shivam Pandey

    Thank you for posting your query on Microsoft Q&A. From the above query I could understand that you want to know the following :

    • Why does your refresh token expires in 2 hours?

    Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.

    Refresh tokens can be revoked at any time, because of timeouts and revocations. Your app must handle rejections by the sign-in service gracefully when this occurs. This is done by sending the user to an interactive sign-in prompt to sign in again.

    Refresh and session token configuration are affected by the following properties and their respectively set values. After the retirement of refresh and session token configuration on January 30, 2021, Azure AD will only honor the default values described below. If you decide not to use Conditional Access to manage sign-in frequency, your refresh and session tokens will be set to the default configuration on that date and you'll no longer be able to change their lifetimes.

    User's image

    If its a SPA or if a Sign-in frequency control policy applied then refresh token may expire before 90 days.

    • Why are you not able to get a new access token with expired refresh token?

    Assuming you are using on behalf flow to get access token via existing refresh token. Then it would not fetch any access token for you as it can't be validated due to "exp" (expired time).

    In this case you need to have an interactive session and give password for a new pair of access and refresh token.

    Now you could use this new refresh token within its life time (24 hours in your case) to get a new pair access and refresh token.

    Please do let me know if you have any queries in the comments section.


    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    0 comments No comments