3,281 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 2%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Developers should have an ability to extend the refresh_token lifetime on browser for atleast a week. Current time of 24 hours is very short
How to get >24h refresh tokens for mobile app with Azure B2C?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 90%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Stefan Schweiger
1
Reputation point
We are currently looking into creating a mobile app with react native (expo). The whole authentication stuff works now after a bit of tinkering. But whats a problem for us is that apparently you are not able to get refresh tokens which are valid for longer than 24h when you use the code flow with PKCE.
As far as I've gathered from online resources it's recommended to use PKCE for mobile apps for security reasons. But having the user login do a complete login after 24h is kind of a show stopper for us.
What other options are there to use refresh tokens which are valid for more than 24h in a secure way for mobile apps?
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
2 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator2022-08-02T08:40:57.793+00:00 Hi @Stefan Schweiger ,
Thanks for reaching out.
Your understanding is correct here. Unfortunately, as of now for Single Page Applications, the token is valid only for 24 hours. After 24 hours you need to go to /authorization endpoint of azure ad to get the new access and refresh token. This can also be also non-interactive flow if the browser has the valid login session.
Another way is to use the implicit flow where refresh token happens in hidden iframe, but implicit flow is not recommended as going further 3rd party cookies will be blocked.
The only workaround option available is to use "Keep me signed in" to get long lived sessions. In order to set the KMSI checkbox checked by default, you need to use JavaScript as there is no option available for this purpose in B2C user flow or custom policy.
Thanks,
Shweta-----------------------------
Please remember to "Accept Answer" if answer helped you.
-
Stefan Schweiger 1 Reputation point
2022-08-02T09:54:39.237+00:00 @Shweta Mathur thank you for your answer. But my app isn't a classic SPA app but an mobile react native app.
The documentation here mentions the following:
Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation
Does this mean I should just not use PKCE for mobile apps? As far as I could gather from online resources it's considered best practice to use PKCE on mobile apps as well. But the 24h refresh token expiration is a real headache for us.
-
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator
2022-08-02T11:00:18.897+00:00 Hi @ StefanSchweiger-4120,
Only PKCE flow has limitation of 24 hour lifetime of refresh token. I agreed that recommended way for mobile apps is PKCE flow as it add extra protection layer than authorization code flow.
Earlier implicit flow is recommended but with third party cookies to be removed from browsers, the implicit grant flow is no longer a suitable authentication method, and the approach is to use authorization code flow. But as this flow requires server-to-server communication using an application's client secret. PKCE is the most suitable authentication flow for mobile applications.
The final decision should factor in your desired user experience but also your appetite for risk after doing a proper risk assessment of your shortlisted approaches and better understanding the implications.
Hope this will help.
Thanks,
Shweta -
Stefan Schweiger 1 Reputation point
2022-08-02T13:09:54.62+00:00 @Shweta Mathur is there any reason why this limitation exists? The PKCE RFC does not mention refresh tokens at all and other identity providers like Auth0 don't seem to have this kind of limitation in place.
Sign in to comment -