Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,057 questions
Issue with Refresh Token Expiry in Azure AD SPA Application
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 87%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
Yash
0
Reputation points
We have registered our app in Azure AD as a SPA and configured it to issue both Access tokens and ID tokens. Our app is set as "Multitenant," allowing users from any organization directory to access it. We have configured API permissions with scopes including "User.Read", "profile", "openid", "offline_access", "Sites.ReadWrite.All", and "Files.ReadWrite.All".
Our application uses MSAL to handle user authentication and authorization, acquiring access and refresh tokens. We understand that the refresh token has a validity of 24 hours. To ensure smooth operation of our nightly jobs, we need to refresh the refresh token before it expires.
However, we have encountered an issue where, upon using the https://login.microsoftonline.com/common/oauth2/v2.0/token endpoint with the grant_type=refresh_token and refresh_token parameters, the new refresh token we receive does not have a validity period extending beyond the original refresh token's expiration. Instead, it appears to have the same expiration time as the original refresh token.
Could you please provide guidance on how we can obtain a new refresh token with an extended validity period? We are aiming for the new refresh token to be valid for an additional 24 hours from the time of issuance.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Navya 11,050 Reputation points Microsoft Vendor2024-08-06T06:34:12.1066667+00:00 Hi @Yash
Thank you for posting this in Microsoft Q&A.
I understand you have an issue with Refresh Token Expiry in Azure AD SPA Application.
A refresh token is used to obtain new access and refresh token pairs when the current access token expires. Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens sent to a redirect URI registered as
spaexpire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. You can't configure the lifetime of a refresh token. You can't reduce or lengthen their lifetime.For more information: Refresh tokens
I attempted to obtain an access token and a refresh token using Postman. The expiration of the access token can be found in the response.
I used the above refresh token to obtain a new access token. Along with the access token, my old refresh token was deleted, and a new refresh token was generated.
For your reference: Refresh the access token
Can you tell me how you noticed that both the new refresh token and the old refresh token expire at the same time? If possible, could you please share screenshots of both the old and new refresh token?
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
-
-
Yash 0 Reputation points
2024-08-08T09:53:03.92+00:00 Hi Navya,
Thanks for responding..
I have created my first access and refresh token using authorization code, so I have passed authorization_code as grant_type and added code_verifier to verify that code in postman and I got both access and refresh token in response.
This is the new refresh token I got from old refresh token: I have created first access token and refresh token on 02-08-2024 - 4:00 PM and used that refresh token in below ss as refresh_token, so it created new refresh_token for me which is in response.
I have used newly created refresh_token(which is in response of above ss) on 03-08-2024 - 4:43 PM and got response like below:
Entire response of above ss: {
"error": "invalid_grant",
"error_description": "AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of 1.00:00:00, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on 2024-08-02T10:39:30.8417461Z. Trace ID: 1bfcebef-ab6d-49bc-9347-f9a47f27c100 Correlation ID: afa0cd7f-80f5-478e-ad48-6cde3e7c91ec Timestamp: 2024-08-03 11:12:54Z",
"error_codes": [
700084
],
"timestamp": "2024-08-03 11:12:54Z",
"trace_id": "1bfcebef-ab6d-49bc-9347-f9a47f27c100",
"correlation_id": "afa0cd7f-80f5-478e-ad48-6cde3e7c91ec",
"error_uri": "https://login.microsoftonline.com/error?code=700084"
}
My understanding is that first refresh_token should be expired after 03-08-2024 - 4:00 PM i.e. after 24 hours, but newly created refresh_token should extend till next 24 hours, is this right (as we are following oauth 2.0 flow)?
In our app, we can't ask our users to authorize again and again in every 24 hours and we also have some nightly jobs to perform, so can you please guide accordingly that how can we conquer this situation without asking users to re-authorize?
Best,
Yash
-
Yash 0 Reputation points
2024-08-08T09:54:27.7633333+00:00 What's your thought on this situation Navya?
-
Navya 11,050 Reputation points Microsoft Vendor
2024-08-20T14:46:15.4+00:00 Hi @Yash
I apologize for the delayed response.
Yes, your understanding is correct. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.
As per this note saying that SPAs must be prepared to re-run the authorization code flow every 24 hours to obtain a new refresh token, but this process can be done silently without requiring the user to re-enter their credentials.
Hope this helps. Do let us know if you any further queries.
-
Yash 0 Reputation points
2024-08-22T09:54:56.3366667+00:00 Hi Navya,
Thank you for your response.
Could we schedule a call to discuss our scenarios in more detail? We need to explain how our nightly jobs use tokens to extract data from files stored in SharePoint.
In our product, we don’t have browser access and want to use the token exclusively through REST APIs once the user grants access. Essentially, we need a way to handle this process from the backend. The goal is for the user to grant access once, after which our app should be able to use the tokens in the backend for ongoing operations.
Looking forward to your thoughts.
Best regards,
Yash
Sign in to comment
Sign in to answer