AzureAD RefreshToken Lifetime fixed instead of Expiration sliding window

Maik Brauer 0 Reputation points
2024-04-13T12:13:18.2333333+00:00

When requesting an access_token for an app on AzureAD, getting an AccessToken as well as a RefreshToken. The Refresh token has a specific Lifetime (Expiration) configured via Conditional Access Policy of 8 hours. Now in this 8 hours you can try to renew the accessToken which will expire, if default settings are used, in 1 hour. Then also for the new RefreshToken again 8 hours will be valid. And if the refreshToken is used always in this 8 hours the access will be there for forever from my view. I see no limiting factor here, such as fixed Expiration, even though the refresh token is very frequent used for example.

 

Docs are not really describing this use-case. Happy to get any hint and support on this.

Thanks a lot.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,778 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,795 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akhilesh 9,840 Reputation points Microsoft Vendor
    2024-04-15T15:03:08.2033333+00:00

    Hi @Maik Brauer

    Thank you for reaching out to the community forum!

    Your understanding is correct Access Token is used, Refresh tokens in the Microsoft identity platform are designed to be used to obtain new access tokens when the current access token expires.

    When you use a refresh token to obtain a new access token, you also receive a new refresh token with a renewed lifetime. This cycle can continue indefinitely, as long as the refresh token is used within its validity period to obtain a new one. However, the maximum time period before which a refresh token can be used to acquire a new access token, if your application had been granted the offline_access scope, is 14 days. The minimum (inclusive) is 24 hours. So, the refresh token can't be used forever.If you’re using the refresh token within its validity period, you can’t extend the session beyond the maximum lifetime set for the refresh token. After the maximum lifetime is reached, the user will need to re-authenticate to obtain a new refresh token.

    Reference: https://learn.microsoft.com/EN-US/entra/identity-platform/refresh-tokens

    https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.