Managing Session, Access token and refresh token in Asp.Net Core 5 MVC Web app

Mayuri Barve 1 Reputation point


I have developed an Asp.Net Core 5 MVC Web application with .Net 5 As Target framework. The application is hosted in Azure and accessed by Azure AD users only. As per new .Net 5 features, Authentication is automatically handled by the framework and is part of Microsofy.Identity.Web.

I have also developed Web Api application that is being consumed by the above web application by authorized users only. Both Web an API apps are registered in Azure AD and I am using Jwt Bearer token (access token) and Scope value for API authorization. I have implemented it with the help of MS documentation on .Net Core (followed the steps given). API authorization is working fine.

My Query/concern is regarding Access token expiry and session expiration... How should I manage both in an efficient way so that user will get automatically logged in and can continue if either token or session expires. Or at least on session expiry, user should be at least redirected to Login page by giving appropriate message. Currently its not happening in proper way. Also as per the documentation Access Token lifetime is default to 30min/1 hour and it cannot be changed and it (expiration) is automatically managed by generating refresh tokens everytime. but I am not able to see/fetch refresh token from the request. I am even not sure whether the refresh token is being sent and it is automatically generating new token on expiry and continuing.. I tried referring to lot of links on google but got confused with concepts..

Can anyone suggest some help/example/documentation on the same. How can I customize/manage access token expiry and session timeout with redirection in code. Any help would be very much appreciated.

Thanks in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,627 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 25,301 Reputation points Microsoft Employee

    Hi @Mayuri Barve ,

    Thanks for reaching out.

    Microsoft Authentication Library (MSAL) acquires a token and handle the token in many ways.

    So, when the application needs a token, it should first call the AcquireTokenSilentAysnc method to verify if an acceptable token is in the cache and retrieve the token from cache. MSAL caches the access, refresh, and ID tokens and handle them accordingly.

    In ASP.NET Core web apps and web APIs, use Microsoft.Identity.Web In-memory cache option to get token caches.
    In .net core application, call AddInMemoryTokenCaches() or AddDistributedTokenCaches() (In production for persistence) to startup.cs file

    public void ConfigureServices(IServiceCollection services)  
        // code before  
                  .EnableTokenAcquisitionToCallDownstreamApi(new string[] { scopesToRequest })  
        // code after  

    If access token is about to expire, it gets the refresh token as token cache also contains a refresh token. AcquireTokenSilentAsync is the abstract process by which refresh token is used to get new access token in backend.

    The lifetimes of refresh tokens are relatively long. However, in some cases, refresh tokens expire, are revoked. Then your application should handle the error gracefully using MsalUiRequiredException exception and prompt user to sign in again and get the token interactively.

    See AcquireTokenSilentAsync using a cached token and Token cache serialization in MSAL.NET for more clarification .


    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments