Share via

Query about Refresh Token Lifetime Configuration in Azure AD B2C Custom Policy

Ujjawal Rajyaguru 0 Reputation points
2024-03-18T12:37:29.2966667+00:00

Hello Microsoft Community,

 

                     I hope this message finds you well. I am currently working on configuring Azure AD B2C custom policies for a Single Page Application (SPA) and have encountered an issue regarding the refresh token lifetime. In my custom policy, I have set the refresh_token_lifetime_secs to 7776000 seconds, expecting to receive refresh tokens with this extended lifetime. However, when I retrieve a refresh token, it has a lifetime of only 86400 seconds.

 

Below is a snippet from my technical profile configuration:

<!-- Snippet from Technical Profile -->
<Metadata>
    <Item Key="token_lifetime_secs">3600</Item>
    <Item Key="id_token_lifetime_secs">3600</Item>
    <Item Key="refresh_token_lifetime_secs">1209600</Item>
    <!-- <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
    <Item Key="allow_infinite_rolling_refresh_token">true</Item> -->
    <!-- Other configuration items... -->
</Metadata>

                     I have commented out the rolling refresh token configuration as it doesn't seem to affect the refresh token lifetime.

 

                     My goal is to obtain refresh tokens with a lifetime of 7776000 seconds. Can you please guide me on how to achieve this? Am I missing any specific configuration or is there a limitation when dealing with SPAs?

                     

                    Any help or insights on this matter would be greatly appreciated. Thank you in advance for your assistance.

 

Best regards,

Ujjawal Rajyaguru

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2024-03-18T18:49:18.56+00:00

    Hi @Ujjawal Rajyaguru , please review this document. "Refresh tokens sent to a redirect URI registered as spa expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the sign-in page in a top-level frame to show the login session. This is due to privacy features in browsers that block third party cookies."

    refresh_token_lifetime_secs configuration item sets the maximum lifetime of a refresh token in seconds. However, it is important to note that this configuration item is only applicable to confidential clients, not public clients such as SPAs.

    In your case, since you are working with an SPA, you may need to consider using a different approach to handle token refresh. One option is to use the silent renew technique, which involves using an iframe to silently renew the access token before it expires. This approach does not require the use of refresh tokens and can be used with public clients such as SPAs.

    Another option is to use the refresh token rotation technique, which involves rotating the refresh token periodically to prevent it from expiring. This approach requires the use of a backend server to handle the token rotation and can be used with public clients such as SPAs.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.