Issue: "The refresh token grant no longer exists" error for federated users in Azure AD B2C (MSAL.js)

Hamza Khalid 20 Reputation points
2025-03-14T11:46:18.0933333+00:00

We are using Azure AD B2C with Custom Policies and MSAL.js for authentication in a React app. Everything works fine for local B2C users, but federated users (those signing in via an external IdP) encounter an issue when acquiring a new token silently.

Error Details:

  1. Initial login works fine – users receive an access token and refresh token.
  2. When calling acquireTokenSilent, it fails with "The refresh token grant no longer exists".
    {"error": "invalid_grant", "error_description": "AADB2C90128: The account associated with this grant no longer exists. Please re-authenticate and try again.\r\nCorrelation ID: 71557210-b7c4-4bd0-a4a3-84101accd862\r\nTimestamp: 2025-03-11 14:30:55Z\r\n" }
  3. This happens even if acquireTokenSilent is called within a minute after login.
  4. Local B2C users do not have this issue – only federated users are affected.

Both, federated and local users do login fine, and both of them get refresh_token in response
Group 1

Current Settings in my code

On the Custom Policy side, we have the following configuration for session timeout for B2C:

<SingleSignOn Scope="Tenant" KeepAliveInDays="30" />
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>1200</SessionExpiryInSeconds>
<ScriptExecution>Allow</ScriptExecution>

and for JWT issuer, we've set the Lifetime of the token as 2 hours:

        <TechnicalProfile Id="JwtIssuer">
          <DisplayName>JWT Issuer</DisplayName>
          <Protocol Name="OpenIdConnect"/>
          <OutputTokenFormat>JWT</OutputTokenFormat>
          <Metadata>
            <Item Key="client_id">{service:te}</Item>
            <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
            <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
            <Item Key="token_lifetime_secs">7200</Item>
            <Item Key="id_token_lifetime_secs">7200</Item>
            <!--<Item Key="allow_infinite_rolling_refresh_token">true</Item>-->
            <Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
            <Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
          </Metadata>
          <CryptographicKeys>
            <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer"/>
            <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer"/>
          </CryptographicKeys>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer"/>
        </TechnicalProfile>
      </TechnicalProfiles>

What could possibly be the issue here? Thanks in advance

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Raja Pothuraju 23,805 Reputation points Microsoft External Staff Moderator
    2025-03-14T14:37:56.79+00:00

    Hello @Hamza Khalid,Based on your description, it seems that you're encountering an issue with external IDP users in Azure AD B2C when the application attempts to silently obtain an access token using a refresh token. The process fails with the error:

    "AADB2C90128: The account associated with this grant no longer exists. Please re-authenticate and try again."

    This issue likely arises because your custom policy might be only including a sign-in flow without a sign-up flow.

    The error occurs when you try to request a new token by redeeming the refresh token of a deleted user. For external IDP users, refresh tokens do not persist user information unless a sign-up flow has been used. By design, refresh tokens must match an existing user record.

    When users go through the flow, they receive an access token based on the claims provided. The refresh token then uses this stored information to validate the user's existence. If the user record is missing, the refresh token validation fails.

    The redemption flow fails with the following exception, indicating that the user record does not exist:

    Microsoft.Cpim.Data.UserNotFoundException: This user does not exist, and the profile 'AAD-UserReadUsingObjectId-CheckRefreshTokenDate' requires the user to have already been created. Microsoft.Cpim.Data.UserNotFoundException: The technical profile with ID "AAD-UserReadUsingObjectId-CheckRefreshTokenDate" in policy "B2C_1A_xxxx_signin" of tenant "b2cdomain.onmicrosoft.com" requires an error to be raised if the claims principal record does not exist. A claims principal of type "User" with identifier claim type ID "Microsoft.Cpim.Protocols.Claim" was not found.

    To understand this issue, ensure that users go through a sign-up flow so that their information is properly stored, allowing the refresh token to validate against an existing user record.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.