Refresh Token Lifetime Issue, Expiring in 1 Day Instead of 7?

hawthorne91 230 Reputation points
2024-08-26T20:10:06.6433333+00:00

I've set the lifetime of my B2C refresh token to 7 days. I'm using the PKCE authentication flow to obtain access tokens. However, when I make a request to the /token endpoint, I notice that the refresh_token_expires_in value is 86400 seconds, which is only 1 day. Could someone explain why the refresh token is expiring in just one day instead of the 7 days I've configured?

Additionally, I've set the Refresh Token Sliding Window Lifetime to "No expiry." Does this mean that the token will be refreshed each time it's used?

Thanks in advance for your help!

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,851 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,456 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 9,640 Reputation points Microsoft Vendor
    2024-08-29T06:58:58.77+00:00

    Hi @hawthorne91

    Thank you for posting this in Microsoft Q&A.

    I understand your concern regarding the Refresh Token Lifetime Issue, Expiring in 1 Day Instead of 7 days.

    The maximum time period before which a refresh token can be used to acquire a new access token, if your application had been granted the offline_access scope. The default is 14 days. The minimum (inclusive) is one day. The maximum (inclusive) 90 days.

    I've set the Refresh Token Sliding Window Lifetime to "No expiry." Does this mean that the token will be refreshed each time it's used?

    The refresh token sliding window type. Bounded indicates that the refresh token can be extended as specified in the Lifetime length (days). No expiry indicates that the refresh token sliding window lifetime never expires.

    Could someone explain why the refresh token is expiring in just one day instead of the 7 days I've configured?

    Single-page applications utilizing the authorization code flow with PKCE are always subject to a refresh token lifetime of 24 hours, whereas mobile, desktop, and other web applications are not constrained by this limitation.

    The refresh_token_expires in one day, due to the use of the PKCE authentication flow to obtain the access token, even if the Refresh Token Sliding Window is configured.

    For more information: Configure tokens in Azure Active Directory B2C

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.