This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 63%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUK%3C/text%3E%3C/svg%3E)
Hi
We use Azure B2C for our users to log into our ASP.Net web application (C#)
In our user flow "B2C_1_SignUpAndSignIn" the "Access & ID token lifetimes" is set to 60 minutes.
This causes an issue because our users need to stay logged in for more than 1 hour.
I could increase the value for "Access & ID token lifetimes" to say 720 minutes, but Azure warns me:
Increasing this value can impact your application's security profile. so that is not ideal.
I have heard that within your application you could add code that would silently refresh the access & id tokens.
so far I haven't found anything that would help me how to achieve this.
Any help or code samples would be much appreciated.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Uwe Kohl ,
Thanks for reaching out.
I understand you are looking to extend lifetime of Access & ID token for your B2C application.
The default lifetime of Access token is 60 minutes. As access tokens are not revoked, so extending the lifetime of access tokens are not recommended as malicious actor that has obtained an access token can use it for extent of its lifetime.
For maximum security and flexibility, it is recommended to use combination of access token and refresh token. When the access token expires, the application can use the refresh token to obtain the new access token.
To get the refresh token along with access token and ID tokens, you would need the scope as "offline_access" in your request. The default lifetime of refresh token is valid for 14 days and maximum lifetime is 90 days.
Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow
Hope this will help.
Thanks,
Shweta
---------------------------------
Please remember to "Accept Answer" if answer helped you.
Hi
thanks for your reply...
but i think I need some help how to set this up in my code
private OpenIdConnectAuthenticationOptions CreateOptionsFromPolicy()
{
return new OpenIdConnectAuthenticationOptions
{
MetadataAddress = string.Format(AadInstance, TenantName, TenantName, SignUpSignInPolicyId),
AuthenticationType = SignUpSignInPolicyId,
ClientId = ClientId,
RedirectUri = RedirectUri,
PostLogoutRedirectUri = RedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = OnAuthenticationFailed,
AuthorizationCodeReceived = context =>
{
return Task.FromResult(0);
},
MessageReceived = context =>
{
return Task.FromResult(0);
},
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
SecurityTokenValidated = OnSecurityTokenValidated
},
Scope = "openid",
ResponseType = "id_token",
// This piece is optional - it is used for displaying the user's name in the navigation bar.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
}
};
}
i have tried adding offline_access to the Scope, like so "Scope = "openid offline_access"
but that did not work.
Is there anything I have to configure in Azure itself?
Did you check the permissions while registering the application?
Reference link to get refresh token using openId Connect: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
Hi @Shweta Mathur
thanks for your help and reply...
I just can't get it working. I registered a new application and followed your instructions above.
I set the Access & ID token lifetimes (minutes) to 5 minutes, so i don't have to wait too long to see whether Request.IsAuthenticated turns to false.
see screenshots of some of my configuration. if you need to see a particular configuration let me know.
THANKS
Hi
anyone out there who can help
Hi @Uwe Kohl ,
Apologies for delay in response. I didn't get notification.
I have provided offline_access in the scope to get the refresh token and able to get the token successfully. You might miss something in configration which is not reading you scope correctly.
Thanks,
Shweta
Hi @Uwe Kohl ,
Apologies for delay in response. I didn't get notification.
I have provided offline_access in the scope to get the refresh token and able to get the token successfully. You might missing something in configration which is not allow you to read scope correctly.
Thanks,
Shweta