Ionic capacitor project with Azure B2C authentification

Question

Hi,

On a current project, we are using Ionic with Capacitor to create an application which is hybrid so available on Web, Android Application, IOS Application with the same source code.
We are using the ADB2C to connect our users with a PKCE flow.

Today, we are facing an issue concerning the token lifetime. In the SPA mode, for the web, the token can not have a lifetime more than 24h, before needing a complete login :
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#security-implications-of-refresh-tokens-in-the-browser

As we are using the same source code on all platform, what can be the solution to have a token of 24h on the web site, and longer token lifetime on Android / IOS Application

Regards,

Sylvain

Answer 1

Hi @LEVENE, Sylvain (COLAS SA) ,

Thanks for reaching out and apologies for delay in response.

I understand that you are looking to persist AD B2C session for single page applications that uses PKCE code flow.

You can enable KMSI feature for users of your web and native applications who have local accounts in your Azure AD B2C directory. Users can opt to stay signed in, so the session remains active after they close the browser.

As mentioned, SPAs will be issued tokens valid for only 24 hours. After 24 hours, the app must acquire a new authorization code via a top-level frame visit to the login page.

So, after 24 hours you can call authorization endpoint of Azure AD to get the new access and refresh token. This can also be non-interactive flow if the browser has the valid login session.

Hope this will help you.

Please remember to "Accept Answer" if answer helped you.

Thanks,
Shweta