Refresh token lifetime and refresh

Question

Refresh token lifetime and refresh

Snow Jon 31

Hi,

I try to use device code authorization and get refresh token from response,

And I have some questions:

(1) The refresh token lifetime is 90 days, when I get a refresh token A (create date: 2022/02/07, expired date: 2022/05/08), after 30 days, I use refresh api to get new refresh token B (create date: 2022/03/09, expired date: ?) by token A, is token B has new 90 days lifetime?

It means refresh token B will expire on 2022/06/07? or token B's lifetime is same as refresh token A?(expired date: 2022/05/08)

It is possible to refresh token cyclical and use new refresh token for keep access graph api?

(2) The refresh token lifetime is 90 days, so after 90 days, it means can't use refresh api to get new refresh token by expired refresh token?

Thanks for your help.

Answer 1

CarlZhao-MSFT 20,376

Hi @Snow Jon

It is possible to refresh token cyclical and use new refresh token for keep access graph api?

During the lifetime of the refresh token, you can obtain new access tokens and refresh tokens through it, the new refresh token you get will also have a lifetime of 90 days, it lifetime is not affected by your initial refresh token. But according to the OAuth 2.0 specification, the old refresh token should be discarded when you get a new refresh token.

The refresh token lifetime is 90 days, so after 90 days, it means can't use refresh api to get new refresh token by expired refresh token?

Yes, sure.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Snow Jon 31 Reputation points

2022-02-07T07:59:14.833+00:00

Thank you CarlZhao, your reply is helpful!

Could I know the graph api for discard certain refresh token?

Thanks a lot.
CarlZhao-MSFT 20,376 Reputation points

2022-02-07T08:32:03.07+00:00

Hi @Snow Jon

There is no graph api for discarding certain refresh tokens, my understanding is that you just need to not use it, it will automatically expire after the lifetime expires.
Snow Jon 31 Reputation points

2022-02-07T08:56:16.633+00:00

CarlZhao,

I found a related question, and Soumi mention 14 days sliding window, the 14 days sliding window will effect token refresh flow?

Like I got a refresh token A (create date: 2022/02/07, expired date: 2022/05/08), I need use this refresh token to get access token in 14 days? If I don't use refresh token A after 14 days, could I use it to get access token and refresh this refresh token (get new refresh token)?

Thanks again!
CarlZhao-MSFT 20,376 Reputation points

2022-02-07T10:30:42.507+00:00

Hi @Snow Jon

This will have no effect. Refresh tokens have an inactive lifetime of up to 90 days, which is enforced by default, and will remain valid as long as you use it within 90 days. The 14-day sliding window mentioned by @Soumi is only for the user flow of the Azure AD B2C tenant, which has nothing to do with the Azure AD tenant. You should pay attention to Microsoft's official explanation of refresh tokens: https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens.
Snow Jon 31 Reputation points

2022-02-08T01:16:17.387+00:00

ok, thanks for your help!

Refresh token lifetime and refresh

0 additional answers

Activity