Share via

Query about Refresh Token Lifetime Configuration in Azure AD B2C Custom Policy

Anonymous
2024-01-30T06:30:00+00:00

Hello Microsoft Community,

                     I hope this message finds you well. I am currently working on configuring Azure AD B2C custom policies for a Single Page Application (SPA) and have encountered an issue regarding the refresh token lifetime. In my custom policy, I have set the refresh_token_lifetime_secs to 7776000 seconds, expecting to receive refresh tokens with this extended lifetime. However, when I retrieve a refresh token, it has a lifetime of only 86400 seconds.

Below is a snippet from my technical profile configuration:

<!-- Snippet from Technical Profile -->
<Metadata>
    <Item Key="token_lifetime_secs">3600</Item>
    <Item Key="id_token_lifetime_secs">3600</Item>
    <Item Key="refresh_token_lifetime_secs">1209600</Item>
    <!-- <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
    <Item Key="allow_infinite_rolling_refresh_token">true</Item> -->
    <!-- Other configuration items... -->
</Metadata>

                     I have commented out the rolling refresh token configuration as it doesn't seem to affect the refresh token lifetime.

                     My goal is to obtain refresh tokens with a lifetime of 7776000 seconds. Can you please guide me on how to achieve this? Am I missing any specific configuration or is there a limitation when dealing with SPAs?

                    Any help or insights on this matter would be greatly appreciated. Thank you in advance for your assistance.

Best regards,

Ujjawal Rajyaguru

Windows Server Windows cloud

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-01-31T01:19:49+00:00

    Hello Ujjawal Rajyaguru,

    Thank you for posting in Microsoft Community forum.

    From the description above, I understand your question is related to Azure.

    Since there are no engineers dedicated to Azure in this forum. in order to be able to get a quick and effective handling of your issue, I recommend that you repost your question in the Q&A forum, where there will be a dedicated engineer to give you a professional and effective reply.

    Here is the link for Q&A forum.
    Questions - Microsoft Q&A

    Click the "Ask a Question" button in the upper right corner to post your question and select "Azure Active Directory" tag and any other tags related to your productions.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2024-04-12T18:04:53+00:00

    I experienced this myself. Unfortunately, applications configured as Single-Page-Applications have a maximum refresh token lifetime of 24 hours regardless of configuration. This is a conscious choice that Microsoft made to maximize security.

    See: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy

    There's a note that reads

    "Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation."

    If you need your refresh tokens to have a longer lifetime, then you'll need to use a different code flow, such as "Authorization" but that will require a back-end of some kind to manage the secret required to obtain tokens during exchange.

    -Adam

    0 comments