Why the AD B2C token on my Single Page Web app kept getting expired and require new signin?

Jun Suh Lee 25 Reputation points
2023-07-21T04:30:27.4066667+00:00

Hello,

I'm currently building a website using AD B2C.

It is a React website that is using @azure/msal-browser, @azure/msal-common and @azure/msal-react

The "Access & ID token lifetime" of the User Flow is 60 minutes and "Refresh token lifetime (days)" is 14 days. Refresh token sliding window lifetime is "No expiry".

If I understand correctly, the website should not ask me to login again as long as I'm accessing the website within 14 days (the refresh token lifetime), since the website is calling "acquireTokenSilent" every time any page is loaded.

However the acquireTokenSilent is failing too often (it works ok if i reload the page in 30 minutes or so, but failing if i didn't reload in few hours) and require me to signin again.

Could you tell me which part potentially that I'm doing wrong?

Additional information (in case):

  • It is localhost environment that I'm testing the website (ex: localhost:3000)
  • I'm using Chrome browser for testing
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,577 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 25,471 Reputation points Microsoft Employee
    2023-07-25T10:37:37.8866667+00:00

    Hi @Jun Suh Lee ,

    Thanks for reaching out.

    Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours. After they've expired, you will need to request for new access and refresh token.

    Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#security-implications-of-refresh-tokens-in-the-browser

    Hope this will help.

    Thanks,

    Shweta


    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. James Hamil 20,816 Reputation points Microsoft Employee
    2023-07-21T19:17:51.7333333+00:00

    Hi @Jun Suh Lee , can you please review the following and let me know if it changes anything?

    1. Third-party cookies: Make sure that your browser is not blocking third-party cookies. MSAL relies on cookies to maintain the user's session, and blocking them might cause issues with token acquisition.
    2. Token expiration: Ensure that your access and ID token lifetimes are set correctly. By default, they are set to 1 hour If you need a longer lifetime, you can adjust these settings.
    3. Browser settings: Check your browser settings to ensure that it's not clearing cookies or site data when you close the browser or after a certain period of inactivity.
    4. Application configuration: Verify that your application is correctly configured to handle token acquisition and renewal. Make sure that the acquireTokenSilent function is being called with the correct parameters and that your application is handling token renewal properly.

    Also, are you using logs anywhere? It might help narrow down the issue. Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James