Seeking guidance on implementing user authentication flow with longer refresh token expiry in Azure AD

Teja Arendala 0 Reputation points
2023-07-05T13:53:46.3566667+00:00
I'm currently working on implementing user authentication in my application using Azure AD. I have a few requirements and encountered some challenges. Here's a summary of my situation:

    I have implemented the Authorization code flow with PKCE in my Single-Page Application (SPA). However, the access token has a short expiry of 1 hour, and the refresh token expires after 24 hours. I need the refresh token to have a longer expiry period.

    In an attempt to address the refresh token expiry issue, I explored the implicit grant flow. I tried obtaining the access token using a hidden iframe, but I encountered CORS errors. After reviewing the documentation, I found that the Microsoft Authorization Server does not allow CORS for SPAs.

    Considering my requirement for a longer refresh token expiry and the limitations with the implicit grant flow, I'm looking for an alternative solution that would meet my needs. I specifically need a user authentication flow that supports a longer refresh token expiry period.

I would greatly appreciate any guidance or recommendations on how to achieve this within the Azure AD ecosystem. Is there a specific authentication flow or configuration that would allow me to implement user authentication with a longer refresh token expiry?

Thank you in advance for your assistance.
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,016 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,179 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Akshay-MSFT 17,906 Reputation points Microsoft Employee
    2023-07-06T07:33:57.47+00:00

    @Teja Arendala

    Thank you for posting your query on Microsoft Q&A. From above description I could understand that you are you are looking for auth flow that supports longer refresh token lifetime (more than 24 hours).

    Please do correct me if this is not the case by responding in the comments section.

    As per Token lifetime refresh tokens used in single page apps are always fixed to 24 hours of activity, as if they have a MaxAgeSessionSingleFactor policy of 24 hours applied to them.

    Refresh tokens sent to a redirect URI registered as spa expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the sign-in page in a top-level frame to show the login session. This is due to privacy features in browsers that block third party cookies.

    For the Microsoft identity platform, SPAs and native clients follow similar protocol guidance:

    • Use of a PKCE code challenge
    • PKCE is required for SPAs on the Microsoft identity platform. PKCE is recommended for native and confidential clients.
    • No use of a client secret

    SPAs have two more restrictions:

    The only workaround is not to register app as SPA be it a desktop/mobile or web application and then you may have default period of 90 days for all other scenarios.

    You can also control the lifetime by Configuring authentication session management with Conditional Access.

    Please do let me know if you have any further queries.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.


  2. CarlZhao-MSFT 45,181 Reputation points
    2023-07-06T07:44:20.69+00:00

    Hi @Teja Arendala

    The default lifetime for refresh tokens is 24 hours for single page apps, which is by design. There is currently no specific authentication flow or configuration to extend the lifetime of refresh tokens for single page apps.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.