Thank you for posting your query on Microsoft Q&A. From above description I could understand that you are you are looking for auth flow that supports longer refresh token lifetime (more than 24 hours).
Please do correct me if this is not the case by responding in the comments section.
As per Token lifetime refresh tokens used in single page apps are always fixed to 24 hours of activity, as if they have a MaxAgeSessionSingleFactor policy of 24 hours applied to them.
Refresh tokens sent to a redirect URI registered as
spa
expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the sign-in page in a top-level frame to show the login session. This is due to privacy features in browsers that block third party cookies.
For the Microsoft identity platform, SPAs and native clients follow similar protocol guidance:
- Use of a PKCE code challenge
- PKCE is required for SPAs on the Microsoft identity platform. PKCE is recommended for native and confidential clients.
- No use of a client secret
SPAs have two more restrictions:
- The redirect URI must be marked as type
spa
to enable CORS on login endpoints. - Refresh tokens issued through the authorization code flow to
spa
redirect URIs have a 24-hour lifetime rather than a 90-day lifetime.
The only workaround is not to register app as SPA be it a desktop/mobile or web application and then you may have default period of 90 days for all other scenarios.
You can also control the lifetime by Configuring authentication session management with Conditional Access.
Please do let me know if you have any further queries.
Thanks,
Akshay Kaushik
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.