Share via

How is the cached access token expiration determined?

Jason Leung 20 Reputation points
2025-01-21T15:00:30.22+00:00

I am using a personal account so I have to use the delegated permission. But I want the token to be persisted so that I do not need to re-authenticate every test iteration. I have read the below thread:
(tldr: use the token cache persistence options + store the auth record to re-use)
https://stackoverflow.com/questions/71949282/storing-and-retrieving-access-token-when-using-client-credential-flow-in-net

and set up something similar in python

self.device_code_credential = DeviceCodeCredential(
            client_id=client_id,
            client_secret=client_secret,
            tenant_id=tenant_id,
            cache_persistence_options=TokenCachePersistenceOptions(),
        )
...
with open(auth_path, "r") as f:
                auth = f.read()
                self.device_code_credential._auth_record = (
                    AuthenticationRecord.deserialize(auth))

Everything works well, I don't need to re-authenticate when I run my app. But it's a bit scary that after the token expiration time, it refreshes and I do not need to re-authenticate (for days). This does not match my mental model that the token is cached and the authentication would fail + prompt for a new authentication flow after it expires. I probably misunderstand the authentication process and how cached token is handled here. It'd be nice if someone could explain / point me to the related document. Thanks!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,992 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhil Nasalwai - MSFT 180 Reputation points Microsoft Vendor
    2025-01-28T17:02:13.0733333+00:00

    Hello Jason Leung,

    Thank you for reaching out to Microsoft!!

    When you use a delegated permission with a personal account, the authentication process typically involves obtaining an access token and a refresh token. The access token is short-lived (usually around an hour), while the refresh token can be used to obtain new access tokens without requiring the user to re-authenticate.

    For the query how could you know the actual expiration time of your cached access token - To know the actual expiration time of your cached access token, you can inspect the token itself. Access tokens issued by Microsoft Graph API include information about their expiration time in the exp claim.

    Use a JWT (JSON web Token) decoder i.e.jwt.ms or jwt.io to view the token's contents.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.