Azure B2C Custom Policy OAuth2 bearer authentication with cached access token that expires every 1 hour

Tony RR 1 Reputation point
2022-04-04T16:33:34.593+00:00

I would like confirmation, on setup being possible, and direction on achieving the following:

Azure B2C Custom Policy OAuth2 bearer authentication with token that expires every 1 hour

Steps which would be part of the Custom Policy Orchestration steps:

  1. If not access token has been retrieved or it has expired (token are valid only for 1hr), then Custom Policy retrieves access token from a federated identity provider
    a. Requires logging-in, then retrieving of access token (two different restful api calls)
    b. Store access token with validaty of 1 hr
  2. Access token is used to access an external Api that verifies its validity

My question specifically in in regards to this caching mechanism, since this flow fits the static bearer token described here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-custom-policy#using-a-static-oauth2-bearer

Except the access token value would need to be set dynamically every 55 minutes.

Thank you

-Tony RR

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,703 questions
{count} votes

1 answer

Sort by: Most helpful
  1. 2022-05-10T00:44:23.167+00:00

    Hello @Tony RR , Azure AD B2C cannot validate the expiration timestamp for a access token stored as a secret nor handle it inside a Custom Policy.

    Regarding the stored access token you can replace the whole keyset or upload a new access token using Update trustFrameworkKeySet or trustFrameworkKeySet: uploadSecret operations respectively after 55 minutes have passed.

    Please let us know if you need additional assistance.

    0 comments No comments