Login Session Timeouts

Question

Login Session Timeouts

James McLaren (NTT-AP) 41

SPA applications use the PKCE-Enhanced Auth Code Flow to authenticate users against Azure AD B2C.

It was noticed when a user opens the B2C login page via the PKCE-Enhanced Auth Code Flow, and leaves the login page open for a period of time before completing the sign in, the login fails without a B2C message.

What is the length of time a PKCE-Enhanced Auth Code Flow login page may be left open and still allow the user to complete a successful login?
It was observed, login pages left open, or old login page urls used to log a user in fail in a way the SPA can't handle the error. (It is suspected the login page "login" session as expired)

Is there a recommended practice for handling the length of time a login page for a SPA is left open?

Is using a browser side timer / redirect a suitable solution for managing the length of time a login page is left open?

Shweta Mathur 30,456 Reputation points Microsoft Employee Moderator

2022-03-15T02:57:32.157+00:00

Hi @James McLaren (NTT-AP) ,

Thanks for reaching out.

I have tried to replicate the issue in my environment and leave the login page for almost 9 hours and able to login successfully to B2C SPA application using PKCE Auth Code flow.

Could you please confirm below to understand the issue better.

Could you please confirm after leaving for how much time you noticed login fails.
Does login fails shows any error or blank screen?
Did you notice this behavior only for PKCE Auth code flow or with other flows as well?

Thanks,
Shweta
James McLaren (NTT-AP) 41 Reputation points

2022-03-15T04:54:29.583+00:00

The login failure behaviour was demonstrated when the login page is left open for over 24 hrs. Some users assert the behaviour occurs at less than 24 hrs.

1 answer

Your answer

Shweta Mathur 30,456 Reputation points Microsoft Employee Moderator

2022-03-15T02:57:32.157+00:00

Hi @James McLaren (NTT-AP) ,

Thanks for reaching out.

I have tried to replicate the issue in my environment and leave the login page for almost 9 hours and able to login successfully to B2C SPA application using PKCE Auth Code flow.

Could you please confirm below to understand the issue better.

Could you please confirm after leaving for how much time you noticed login fails.
Does login fails shows any error or blank screen?
Did you notice this behavior only for PKCE Auth code flow or with other flows as well?

Thanks,
Shweta
James McLaren (NTT-AP) 41 Reputation points

2022-03-15T04:54:29.583+00:00

The login failure behaviour was demonstrated when the login page is left open for over 24 hrs. Some users assert the behaviour occurs at less than 24 hrs.

Answer 1

Our application's Azure login page intermittently encounters a 400 error, and even when a 200 response is received, the login process sometimes fails unexpectedly.

Typically, the Azure AD B2C login flow using MSAL React redirects to https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/policyname/oauth2/v2.0/authorize. However, in certain cases, after submitting the login form, it redirects to https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/policyname/api/CombinedSigninAndSignup/confirmed instead of the redirect_uri specified in the MSAL configuration.

For additional details, please refer to the screenshots in the following link: Google Drive Link to Screenshots

The screenshots include the MSAL React configuration, custom policy configurations, and login page API responses.

Similar issues have been reported in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4718

This issue seems more likely to occur when the application's Azure login page remains idle for around 3 hours before attempting to log in. On a second attempt, the login generally succeeds without issues.

We would appreciate your assistance in identifying the root cause and resolving the issue.

Abdul Wadood 0 Reputation points

2024-12-24T10:03:14.92+00:00

The Azure login page serves as the landing page for our application, making it more likely that users will attempt to log in after being idle for some time.

Share via

Login Session Timeouts

1 answer

Your answer