ASP.NET Azure AD refresh access token on expiration

Bálint Keresztes 1 Reputation point
2022-08-16T12:08:52.273+00:00

Hello,

I would like to ask some help with handling the access token expiration in my web app, that is using AzureAD to login.
It is an ASP.NET application (.net 4.7.2). On login the user is redirected to microsoft page, logs in, redirected back to the webapp with the valid access token, and can work for an hour, but when the token expires, and the user sends a request he will have to be redirected to MS and back again to get a new access token. This breaks the users workflow, especially if he is on a filled form, and the token expires right when he would post his data, he will have to fill the form again after the redirect puts him on the empty page.
My question: when i detect in the backend that the user is not authenticated any more, can i refresh his auth token seamlessly, without the need to redirect to MS and back, and once the new token is arrived, just process the pending request as if nothing happened? If not, can i somehow change the access token expiration from 1 hour to 8 or 12?
I have read some articles about using the access token and refresh token to do this, but i am using the OpenIdConnect middleware and not sure if i have a refresh token at all.

Thank you,
Bálint Keresztes

ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,303 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,771 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Bruce (SqlWork.com) 57,646 Reputation points
    2022-08-16T19:23:41.737+00:00

    you are actually using standard cookie authentication with SSO. the lifetime of the cookie is tied to the token lifetime. the login token is only used to create the cookie. when the cookie expires, the browser does not include it in the request.

    while you could request and store a refresh token on the server, when the the unauthenticated request comes, you do not know the identity of user. you would need to add a different cookie to store this or you would need to update the cookie before it expires. thus you would implement a sliding window. as you are using owin cookie, you need to code this yourself.

    0 comments No comments