B2C web app session lifetime

Yevhen Boiko 1 Reputation point
2022-07-25T07:11:03.787+00:00

Hello. We are working on signin/signup flows using Azure B2C custom policy and MSAL library in our web app. And we want to implement 30 minutes session lifetime period. According to this configure-tokens article SPA using auth code flow with PKCE always have a refresh token lifetime of 24 hours. So having refresh_token_lifetime_secs field in a custom policies is basically a ceremony - Azure B2C will not allow to set refresh token’s lifetime more or less than 24 hours.

We’ve set idToken/accessToken lifetime to 10 mins and web session lifetime for 30 mins - and we expected that once idToken/accessToken expires - the msal-browser library will try to issue a new idToken/accessToken in a hidden iframe with using a web session cookie. If cookie is not expired - new tokens will be issued. Otherwise - not.

But in fact, once idToken/accessToken expires - the refreshToken is starting to work and refreshes tokens nevertheless web session expiration. It will work up to 24 hours (until refresh token expires)

Moreover, we don’t request scopes other than clientId scope, but in the authorize request we always see openid profile offline_access scopes.
These 3 scopes are hardcoded in the msal-browser library and always included by default. There are no options to configure default scopes and exclude offline_access - which could potentially help to skip refresh token process.

Could you please advise whether we missed something? Is there any approach how to manage session lifetime?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,853 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,561 Reputation points
    2022-07-29T07:52:46.267+00:00

    Hi @Anonymous • Thank you for reaching out.

    Refresh tokens issued to SPAs cannot be controlled via B2C Sessions Management and are valid for 24 hours only. So, in your case, you need to make sure that the offline_access scope is not present in the authentication request to make sure the refresh token is not issued.

    As documented under Security implications of refresh tokens in the browser, Without refresh tokens or third-party cookies, the authorization code flow (as recommended by the OAuth security best current practices draft) becomes onerous when new or additional tokens are required. A full page redirect or popup is needed for every single token, every time a token expires (every hour usually, for the Microsoft identity platform tokens).

    Please check if you have added the offline_access scope for the application registered in the Azure AD B2C tenant. If it is added and consented as shown below, try removing the permission and send the authentication request again.

    226073-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Mike Brooks 1 Reputation point
    2022-07-29T20:35:23.497+00:00

    @AmanpreetSingh-MSFT I have a similar issue as posted by @Anonymous , so I attempted to remove the offline_access api permission from my App Registration. Azure B2C App Registration will not allow the removal of the offline_access permission. When I attempt to remove this api permission I get the warning below.

    226210-image.png

    If I proceed, the offline_access permission appears below the "Configured Permissions" as "Other permissions granted for..."

    226332-image.png

    Is there another way to remove this permission completely from an App Registration?

    Thanks,

    Mike

    0 comments No comments

  3. Yevhen Boiko 1 Reputation point
    2022-09-15T11:40:57.713+00:00

    @AmanpreetSingh-MSFT thank you for the answer. We removed offline_access from tenant but it still present in authentication request. What can be wrong?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.