This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 91%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Currently Azure AD B2C issues a refresh token that is valid for 24 hours (non-configurable, non-renewable) for single page apps that use the PKCE code flow.
When that 24 hours is expired from the initial sign in the user needs to reauthenticate with the AD B2C. If the browser has been closed during that time the AD B2C session is lost and now user must interactively reauthenticate. I don't understand how this could be acceptable default user experience for most web apps.
Is there any way to work around this? Perhaps a way to make the AD B2C session persistent so that it survives browser closes and full interactive reauthentication is avoided. I have tried KMSI but that also dosent keep the user logged in for some reason. Have followed all the steps given in this link.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Aaditya Shete ,
Thanks for reaching out and apologies for delay in response.
I understand that you are looking to persist AD B2C session for single page applications that uses PKCE code flow.
KMSI worked for users of your web and native applications who have local accounts in your Azure AD B2C directory. KMSI didn’t work with social accounts.
As mentioned, SPAs will be issued tokens valid for only 24 hours. After 24 hours, the app must acquire a new authorization code via a top-level frame visit to the login page.
So, after 24 hours you can call authorization endpoint of Azure AD to get the new access and refresh token. This can also be non-interactive flow if the browser has the valid login session.
Hope this will help you.
Thanks,
Shweta
-----------------------------------
Please remember to "Accept Answer" if answer helped you.
Hi @Shweta Mathur ,
Thanks for your reply.
We are using a custom phone number sign up, sign in flow.
KMSI does not keep the user signed in. The user is forced to login again after 24 hours. I have followed all the steps given here.
Does KMSI and Rolling Session work together?
Our custom policy configuration is -
<UserJourneyBehaviors>
<SingleSignOn Scope="Tenant" KeepAliveInDays="90" />
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>
Are you Signing in using local accounts or social Identity Providers. KMSI worked only with local accounts.
Local accounts only. Just phone sign in.
After you click on the run, make sure to remove the &prompt=login query string parameter from the URL.
For example : https://your-tenant.b2clogin.com/your-tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_signup_signin&client_id={client-id}&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&**prompt=login** .
Sorry. This is not pertaining to my question.