Why the AD B2C token on my Single Page Web app kept getting expired and require new signin?

Question

Why the AD B2C token on my Single Page Web app kept getting expired and require new signin?

Jun Suh Lee 25

Jul 21, 2023, 4:30 AM

Hello,

I'm currently building a website using AD B2C.

It is a React website that is using @azure/msal-browser, @azure/msal-common and @azure/msal-react

The "Access & ID token lifetime" of the User Flow is 60 minutes and "Refresh token lifetime (days)" is 14 days. Refresh token sliding window lifetime is "No expiry".

If I understand correctly, the website should not ask me to login again as long as I'm accessing the website within 14 days (the refresh token lifetime), since the website is calling "acquireTokenSilent" every time any page is loaded.

However the acquireTokenSilent is failing too often (it works ok if i reload the page in 30 minutes or so, but failing if i didn't reload in few hours) and require me to signin again.

Could you tell me which part potentially that I'm doing wrong?

Additional information (in case):

It is localhost environment that I'm testing the website (ex: localhost:3000)
I'm using Chrome browser for testing

Accepted answer

1 additional answer

Your answer

Answer 1

Shweta Mathur 30,256 Microsoft Employee

Jul 25, 2023, 10:37 AM

Hi @Jun Suh Lee ,

Thanks for reaching out.

Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours. After they've expired, you will need to request for new access and refresh token.

Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#security-implications-of-refresh-tokens-in-the-browser

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Jun Suh Lee 25 Reputation points

Jul 25, 2023, 2:36 PM
Hi Shweta! Thanks for the answer.

Got it. I have a follow up questions

Does your answer means that the users of my website (single page application) always have to re-signin using pop-up (or redirect) at least every 24 hours? or there are other way that I could silently refresh the 'refresh token' itself?
Shweta Mathur 30,256 Reputation points Microsoft Employee

Jul 26, 2023, 6:02 AM

Jun Suh Lee

As mentioned, refresh tokens sent to a redirect URI registered as spa expire after 24 hours.

Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the sign-in page in a top-level frame to show the login session.

Please remember to "Accept Answer" if answer helped you.
Jun Suh Lee 25 Reputation points

Jul 26, 2023, 6:05 AM

Got it thanks for the explanation. I will close this for now and will back if I get more questions, thank you!

Answer 2

James Hamil 27,001 Microsoft Employee

Jul 21, 2023, 7:17 PM

Hi @Jun Suh Lee , can you please review the following and let me know if it changes anything?

Third-party cookies: Make sure that your browser is not blocking third-party cookies. MSAL relies on cookies to maintain the user's session, and blocking them might cause issues with token acquisition.
Token expiration: Ensure that your access and ID token lifetimes are set correctly. By default, they are set to 1 hour If you need a longer lifetime, you can adjust these settings.
Browser settings: Check your browser settings to ensure that it's not clearing cookies or site data when you close the browser or after a certain period of inactivity.
Application configuration: Verify that your application is correctly configured to handle token acquisition and renewal. Make sure that the acquireTokenSilent function is being called with the correct parameters and that your application is handling token renewal properly.

Also, are you using logs anywhere? It might help narrow down the issue. Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Jun Suh Lee 25 Reputation points

Jul 21, 2023, 7:29 PM
Hi @james hamil

Just checked my browser doesn't block third party cookies, in fact, the session is 'usually' good, it's just once in a couple days, it is expired and cannot get new token but have to signin again

Token lifetime is, as i mentioned, 60 minutes, however the refresh token lifetime is 14 days. Doesn't refresh token's lifetime determine how long i could be inactive on my website? (let me know if i'm wrong, I'm new to how authentication works)

Browser is not clearing the cookies on closure, in fact, I did not close the browser or the tab when I observe this particular behavior. I was only inactive for some duration (probably more than 1 hour or so but not exceeding 1 day)

I believe I'm using acquireTokenSilent correctly. What I do is following. Every time the website is loaded, it lets the instance (of msal) calls 'getAllAccounts' and then we retrieve the first account (accounts[0]), since only one account is logged in always, and then call acquireTokenSilent(<the first account>), let me know if this is wrong way to use acquireTokenSilent

Thank you,

Jun
Jun Suh Lee 25 Reputation points

Jul 22, 2023, 2:09 AM

It just happened one more time so I attach the screenshot of the logs

The future is yours

Share via

Why the AD B2C token on my Single Page Web app kept getting expired and require new signin?

1 additional answer

Your answer