Share via

How to avoid "Token expired" errors on Azure built-in authentication (EasyAuth) with Google provider

Art 25 Reputation points
2025-02-13T09:50:39.4266667+00:00

I have a dynamic Web App deployed to Azure App Services, where I have enabled Azure built-in Authentication (EasyAuth) with Google as provider.

  • Token store is enabled
  • Scope: email, profile

Authentication works well, but after 1 hour (even if I am active working on the page), I get error: Token validation failed: Token expired

How can I prevent this from happening? I have read here about the need to activate refresh tokens using parameters consent=prompt and access_type=offline on the /.auth/login/google API Call. But from my code I don't make such a call, everything happens on Azure Authentication and I see no way to specify parameters.

Any workarounds? (e.g. refresh tokens on demand, etc).

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,933 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shree Hima Bindu Maganti 4,775 Reputation points Microsoft External Staff Moderator
    2025-02-17T07:59:29.06+00:00

    Hi @Art ,
    Welcome to MS Q&A platform.
    Solution for "Token Expired" Issue in Azure EasyAuth with Google Provider

    The problem occurs because EasyAuth does not request refresh tokens from Google, and Google's access token expires in 1 hour. Since you can't change the authentication request,
    Azure provides a /.auth/refresh endpoint that can extend the authentication session. You should call this periodically to prevent token expiration.
    Set up automatic refresh before token expiry (e.g., every 45 minutes),

    setInterval(() => {
    fetch('/.auth/refresh', { credentials: 'include' })
        .then(response => {
            if (!response.ok) {
                console.error("Token refresh failed, possible session expiration.");
            }
        })
        .catch(error => console.error('Error refreshing token:', error));
}, 45 * 60 * 1000);  // Runs every 45 minutes

    If refresh fails, force re-login,

    function forceReLogin() {
    window.location.href = '/.auth/login/google';
}

    Adjusting Azure EasyAuth Session Timeout

    This won't extend Google's token, but it can keep the Azure session active longer.

    Go to Azure Portal → Your App Service

    Navigate to Authentication / Authorization

    Go to Advanced Settings

    Set "Token Refresh" to the max (24 hours)

    Make sure "Token Store" is on

    Alternative: Custom Authentication (Recommended for Full Control)

    EasyAuth has limited token management, so consider:

    Using Firebase Authentication for Google Login

    Implementing MSAL (Microsoft Authentication Library) for better session management
    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.
    Let mi know if you have any further assistances.

    ref:
    https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-google
    https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-oauth-tokens
    https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/update-auth-settings-v2?view=rest-appservice-2024-04-01&utm_source=chatgpt.com&tabs=HTTP
    https://firebase.google.com/docs/auth/android/google-signin

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.