Azure AD Sign in + OWIN + WebForms/MVC + Timeout + Refresh Token

Russ 1 Reputation point
2022-07-06T11:40:34.123+00:00

Hi,

I have successfully followed this guide "Tutorial: Add sign-in to Microsoft to an ASP.NET web app", and introduced Azure AD logins to our old WebForms/MVC application. This is working fine in terms of logins/logouts. This is using AD rather than B2C.
https://learn.microsoft.com/en-gb/azure/active-directory/develop/tutorial-v2-asp-webapp

The problem we are now facing is our users are being logged out between 60-90 minutes - I think to do with this: "The default lifetime of an access token is variable. When issued, an access token's default lifetime is assigned a random value ranging between 60-90 minutes (75 minutes on average)"
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime

My question is, how do I deal with this? I want users to be logged in for a period I select. If they are active I want them to stay signed in. I want sliding expiration turned on, and I want to be able to increase the access token to longer than 60-90 minutes.

I've seen on the Startup.cs class I can set these two properties on UseCookieAuthentication, but no cookie is created and the settings do not come into affect.
ExpireTimeSpan = TimeSpan.FromMinutes(1),
SlidingExpiration = true

Or I somehow need to refresh the token on posting the page back.

Please can someone shed some light on this? I can't find any other documentation on how to change this.

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Developer technologies | ASP.NET | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2022-07-06T23:17:34.333+00:00

    Hello @Russ , (ASP.NET) application cookie stores Azure AD auth information. You will need to set a higher value for the ExpireTimeSpan property. Azure AD session is stored in an Azure AD cookie which, by default, lasts days. Access tokens (which are use for authorization purposes) lifetime should not have anything to do with authentication state.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.