How to keep user signed in after the browser has been closed and 24 hours has expired in SPA (ADB2C Custom flow).

Aaditya Shete 6 Reputation points
2022-03-23T06:57:26.29+00:00

Currently Azure AD B2C issues a refresh token that is valid for 24 hours (non-configurable, non-renewable) for single page apps that use the PKCE code flow.

When that 24 hours is expired from the initial sign in the user needs to reauthenticate with the AD B2C. If the browser has been closed during that time the AD B2C session is lost and now user must interactively reauthenticate. I don't understand how this could be acceptable default user experience for most web apps.

Is there any way to work around this? Perhaps a way to make the AD B2C session persistent so that it survives browser closes and full interactive reauthentication is avoided. I have tried KMSI but that also dosent keep the user logged in for some reason. Have followed all the steps given in this link.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,678 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,106 Reputation points Microsoft Employee
    2022-03-28T13:14:59.34+00:00

    Hi @Aaditya Shete ,

    Thanks for reaching out and apologies for delay in response.

    I understand that you are looking to persist AD B2C session for single page applications that uses PKCE code flow.

    KMSI worked for users of your web and native applications who have local accounts in your Azure AD B2C directory. KMSI didn’t work with social accounts.

    As mentioned, SPAs will be issued tokens valid for only 24 hours. After 24 hours, the app must acquire a new authorization code via a top-level frame visit to the login page.

    So, after 24 hours you can call authorization endpoint of Azure AD to get the new access and refresh token. This can also be non-interactive flow if the browser has the valid login session.

    Hope this will help you.

    Thanks,
    Shweta

    -----------------------------------

    Please remember to "Accept Answer" if answer helped you.