B2C Authentication and Offline Devices

Damien Constantine 1 Reputation point
2020-06-22T21:33:10.21+00:00

Hello!

We are developing a device-hosted application that requires authentication.
99% of the time these devices are connected to the Internet.
We require that 1% to still work - even offline.
For example: User A has logged in within the last 3 days. This user, even though the internet is down, would still need to be able to log in.
What is the best way to handle this?
Can a user, when the device is offline, still log in if they have logged in recently; and if they have not?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,769 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-06-23T05:35:35.44+00:00

    Hello @DamienConstantine-5544 ,

    Yes in your case the user can still login but it depends on how much time has elapsed from the user obtained the token . The JWT auth token obtained in B2C has different validity as per the type as listed here . The access token an ID token lifetimes are a default of 1 hour . But if you require a user to stay signed in to a mobile applicaton indefinitely as long as the user is continually active on the application , you can set the Refresh token sliding window lifetime (days) to No Expiry in your sign-in user flow. The picture below shows that setting. You can set the same to No Expiry rather than Bounded . Other aspects of the Token Lifetime in your user flow can be edited and changed as per your requirements.

    10523-token-lifetime.png

    You will need to also take care of the session behavior properties and configure the Web App session tmeout to rolling as shown in the picture below.

    10524-session-behavior.png

    Taking care of the session behavior and token lifetimes you should be able to achieve your requirement . Should you have any further query , please let us know ad we will be happy to help . If the information helps you , please do accept the post as answer which will help other members of the community . I have also linked related articles which I would suggest for further reading as they provide a detailed explanation on the topic.

    Thank you.

    0 comments No comments

  2. Damien Constantine 1 Reputation point
    2020-06-24T18:28:52.397+00:00

    I would like to present another scenario that I forgot to include in my original request: We need to be clear that there are multi-user terminals in addition to mobile phones, and the equipment may have been used by a different user during the 3 days that we'd like to be able to regain access in the absence of cloud connectivity. We could dispatch a tech to go fix a networking problem, they will have used their account to log in somewhere within 3 days, but not necessarily to that particular piece of equipment that's having internet connection loss.

    0 comments No comments