Azure B2C - Access & ID token lifetimes expires after 1 hour

Uwe Kohl 41 Reputation points
2022-06-30T22:42:19.267+00:00

Hi

We use Azure B2C for our users to log into our ASP.Net web application (C#)

In our user flow "B2C_1_SignUpAndSignIn" the "Access & ID token lifetimes" is set to 60 minutes.

This causes an issue because our users need to stay logged in for more than 1 hour.

I could increase the value for "Access & ID token lifetimes" to say 720 minutes, but Azure warns me:
Increasing this value can impact your application's security profile. so that is not ideal.

I have heard that within your application you could add code that would silently refresh the access & id tokens.
so far I haven't found anything that would help me how to achieve this.

Any help or code samples would be much appreciated.

Thanks

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,562 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,563 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 25,296 Reputation points Microsoft Employee
    2022-07-01T06:24:10.937+00:00

    Hi @Uwe Kohl ,

    Thanks for reaching out.

    I understand you are looking to extend lifetime of Access & ID token for your B2C application.

    The default lifetime of Access token is 60 minutes. As access tokens are not revoked, so extending the lifetime of access tokens are not recommended as malicious actor that has obtained an access token can use it for extent of its lifetime.

    For maximum security and flexibility, it is recommended to use combination of access token and refresh token. When the access token expires, the application can use the refresh token to obtain the new access token.

    To get the refresh token along with access token and ID tokens, you would need the scope as "offline_access" in your request. The default lifetime of refresh token is valid for 14 days and maximum lifetime is 90 days.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------------

    Please remember to "Accept Answer" if answer helped you.


1 additional answer

Sort by: Most helpful
  1. Uwe Kohl 41 Reputation points
    2022-07-01T17:52:56.73+00:00

    Hi @Shweta Mathur
    thanks for your help and reply...
    I just can't get it working. I registered a new application and followed your instructions above.
    I set the Access & ID token lifetimes (minutes) to 5 minutes, so i don't have to wait too long to see whether Request.IsAuthenticated turns to false.

    see screenshots of some of my configuration. if you need to see a particular configuration let me know.

    THANKS

    217009-capture1.png

    217028-capture2.png