Does the refresh token expires after 90 days irrespective of if it is updated ?

Himan Jo 1 Reputation point
2022-05-04T20:18:20.547+00:00

When an access token expires, a refresh token is used to get a new access token and it also returns a new refresh token. Now if this new access token expires & a new/updated refresh token is used to get the next access token, it will also receive a newer refresh token. So if during every update of the access token, if the refresh token is also updated then can this process continue seamlessly (without the user having to authenticate again) even after 90 days ? Or the user has to authenticate at the end of 90 days even if the most recent refresh token is being used ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,531 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Shweta Mathur 29,531 Reputation points Microsoft Employee
    2022-05-13T09:33:15.24+00:00

    Hi @Himan Jo ,

    Apologies for delay is response.

    Your understanding is correct here.

    As mentioned by Andy, by default, Refresh token MaxInactiveTime will be 90 days and MaxAgeMultiFactor will be until revoked.

    As long as your refresh token is still in the lifetime, then you can use it to get new access token and refresh token to achieve permanent access. The new refresh token you get will also have a lifetime of 90 days; its lifetime is not affected by your initial refresh token.

    As we are using the refresh token every day to get access token, means the refresh token should not expire (as MaxInactiveTime 90 days condition will never be met).

    Hope this will help.

    ---------------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    Thanks,
    Shweta

    1 person found this answer helpful.

  2. Himan Jo 1 Reputation point
    2022-05-04T21:45:13.45+00:00

    This helps, but just need to clarify one thing.
    The app would be regularly (say multiple times a day) using the refresh tokens to get new access token & would get refresh tokens as well and these new refresh tokens will replace the previously issued refresh tokens. So on the 90th day, the fresh refresh token would be used for the next request.

    So it would be 90th day from the point of view of the first refresh token issued when the user authenticates. However, it would be first day from the point of view of the updated refresh token (which would be used to make the request on for a fresh access token)

    So even in this case the user needs to authenticate himself again (because 90 days have passed from when the first refresh token was issued ) ? Or he doesn't need to authenticate himself again if the updated refresh token is used for every request ?

    0 comments No comments

  3. Himan Jo 1 Reputation point
    2022-05-05T22:17:37.167+00:00

    Do we have any update on this please ?

    0 comments No comments

  4. Himan Jo 1 Reputation point
    2022-05-10T21:37:54.813+00:00

    Is there any update on this please ?

    0 comments No comments