We are using azure AD, b2c authentication in our MVC application.
We set our token expiry timeout to 4 hours but still it is expiring within 10 to 15 minutes when user is using the application. When we refresh the page then token is refreshing.
This is causing a big issue for us, due to sudden expiry of token, user cant use the application and his whole work is lost if he refresh the page to refresh token.
Please suggest me a solution to this.
Tried by giving even more token expiry time but still causing the issue, tried in different ways but nothing worked.
Related
We are using B2C for our SPA and wanted to know if we can setup a sliding expiration for the 24 hr refresh token lifetime. Currently if a user is logged in and active still the user will get logged out after 24 hrs. Is there a way to extend the token life time or else make it sliding so that the users don't loose their unsaved work ?
As per the below reference spa always has 24 hrs only.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-lifetime-behavior
Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation. Learn more about the security implications of refresh tokens in the browser.
Following documentation single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours.
I have the same scenario but I wonder if it is possible to set that refresh token expiration time on shorten than 24hours time or event do not use it and force user to type login and password every time access token expires?
Currently its fixed at 24 hours.
You could switch to implicit flow here to achieve this.
I am using MSAL for Azure AD authentication in a Xamarin app. The validity of the token is 1 day (seen using the value of ExpiresOn of AuthenticationResult).
My problem is that, after 1 hour, AcquireTokenSilentAsync fails and then AcquireToken needs to be called.
I am not able to understand that even though the token validity is 1 day, and the validity of refresh token is even more, why is it asking for authentication after every 1 hour ?
Can this be changed using any parameter value or any other way ?
Just to make a small clarification, MSAL doesn't actually issue tokens or decide a token expiration, but rather ingests an acquires token from the Azure AD STS.
MSAL will automatically refresh your access token after expiration when calling AcquireTokenSilentAsync. You're likely not getting automatic silent refreshes due to some kind of token cache miss. It's hard to say the specific issue without seeing your code, but i'll recommend comparing it against the official MSAL Xamarin code sample.
If you're building a Xamarin app, then it's a public client. The default token expirations right now are:
Access Tokens: 1 hour
Refresh Tokens: 90 days, 14 day inactive sliding window
Azure AD does allow you to configure these token expirations in PowerShell. You can define a token lifetime policy and then assign it to the specific Service Principal, across the tenant/organization, or on the application object. The other thing to keep in mind is if you're requesting a token for a specific resource, then the policy must be set on that resource rather than the requesting service principal or app. For more info on this, checkout configuring token lifetime in Azure AD.
There was an issue with the TokenCache due to which token was not stored properly and I was getting an exception. This has been resolved in the newer versions of Xamarin Android. Bug defined here
I have a long running application (many days/weeks). Is there anyway to get OAuth access that is not tied to the 14 day refresh token expiry? No matter what I try I lose access in 14 days. It would put a huge burden on our users to have to re-authenticate every N days.
Azure AD Refresh tokens have a sliding expiry of 14 days, up to a maximum of 90 days. That is, as long as you use the refresh token in those 14 days, you will get a new refresh token valid for another 14 days. So your users would only need to re-enter credentials every 90 days.
That being said, for long running applications, the Client Credentials Flow may be more suitable. This uses Application Permissions rather than Delegated Permissions (so you may need to change the permissions in the Azure portal). If you really need to make your calls as a particular user it may not work in your case.
We are using Azure AD authentication with a bootstrap MVC site.
Everything is fine and dandy - except we have an issue with the token timeout.
I have read multiple articles about the token lasting 1 hour before re-authenticating against Microsoft.
Our problem comes up when posting data.
Efter we enter a page with a post form on it - and this hours expires when on the page - the post data gets lost when posting the data. Everything points in the direction of the problem occurring when the site goes to get a fresh 1-hour token.
Has anyone here had experience with this or have any idea of how to get around this problem?
Not sure if this is the right way of doing things, but this is how we're handling this situation.
Basically when a user authenticates against Azure AD, you get 3 things back - Access Token (which expires after 60 minutes), Refresh Token and Token Expiry. What we do in our application is cache these three items.
Whenever we perform something that requires Access Token, we first check if the token has expired or not (by comparing the server date/time with the token expiry). If the token is not expired, we simply use that access token. However if the token is expired, we fetch new tokens using refresh token (fetching new tokens using refresh token will again return Access Token, Refresh Token and Token Expiry which we cache again in our application).