Share via

refresh token validity

Rui Goncalves 21 Reputation points
2021-12-03T22:20:10.433+00:00

Hi everyone!

I know this is a recurrent question, but I'm still not sure about refresh tokens validity! (specially after reading this accepted answer and Refresh and session token lifetime policy properties.

Can you please confirm my understating? (I'm using the authorization code flow)

  1. After executing the flow, we get an access_token and a refresh_token
  2. We use the refresh_token to renew the access_token. On each renewal, we get a new pair of tokens (access and refresh token).

Questions:

  1. If we use the first refresh_token, will it be valid indefinitely if we keep using it regularly?
  2. If we discard the old refresh token and replace it with the new refresh_token, can we keep renewing tokens indefinitely without asking the user to re-authenticate? (considering that we never exceed the MaxInactiveTime)

Thank you in advance for your help.

Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2021-12-07T23:22:26.953+00:00

    In either of those scenarios, the user will need to eventually re-authenticate.

    The refresh tokens last for 14 days. Even if you keep replacing the refresh token with new refresh tokens within those 14 days, you can only keep doing that for 90 days since 90 days is the default and you cannot change the default for refresh tokens. After 90 days the users will still need to re-authenticate. https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

    Let me know if this helps at all.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.