question

manishkiranagi-7177 avatar image
0 Votes"
manishkiranagi-7177 asked MarileeTurscak-MSFT commented

MSAL-browser refresh token

In MSAL browser, acquireTokenSlient get's a refresh token on every call to the token end point. The first refresh token has a duration of 1 day. Subsequent refresh tokens all have reduced (the remaining) expiry time. After the refresh token expires eventually, if an AD Session exists than the authorisation code is returned in an iframe before making the token call. If this silent retrieval of auth code fails we have to use an interactive method call.

Now the AD Session typically lasts a day. So are we saying that the user will always be forced to do an interactive login after a day because the refresh token has expired and the AD Session has expired?

Or does the AD Session roll on for each token call, so that the expired refresh token can come silently through iframe call mentioned above?

I need the user to be able to access the token without login if he has been making the token calls without break of a day. Would that be possible using msal-browswr refresh tokens? MSAL.js does seem to roll on the AD session after every authorisation endpoint call via aquireTokenSilent - so it doesnt have a problem. But I cant use it as Safari blocks 3rd party cookies requiring an interactive call every hour - which is essentially a refresh of the app.

azure-ad-msal
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is it a new refresh token or existing one? You cannot set token lifetime policies for refresh tokens and session tokens.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

0 Votes 0 ·

0 Answers