I have the refresh token expiry on B2C set to the minimum and I left my account logged in but inactive for the past couple days. Now, I'm receiving logs showing the mobile application is trying to get a new access token using the expired refresh token but I'm catching an error: "time out".
Correct me if I'm wrong but from what I understand, refresh tokens don't expire and I need to manually revoke them then send the user back to log in screen? How do I revoke the refresh token on client side?
Thanks.
If you wish to revoke the refresh token, you can use power shell: Revoke-AzureADUserAllRefreshToken,
or AAD Graph API : POST https://graph.windows.net/{tenant id}/me/invalidateAllRefreshTokens?api-version=1.6 HTTP/1.1.
Related
I have a client with mobile apps that uses Azure AD B2C User flows for authentication.
There is a Policy for SignIn that has the Refresh token lifetime (days), this was set too low and we need to increase it.
If we change this policy setting, will it cause currently valid Refresh token's to expire or remain valid?
It is not listed as a reason in Token revocation
No, change the policy setting won't cause currently valid Refresh token's to expire.
The old refresh token will still be valid.
You can have a quick verification by using ROPC flow:
Acquire an access token/refresh token pair.
Change the Refresh token lifetime in ROPC user flow.
Use the refresh token above to acquire a new access token.
im using Msal.js (acquireTokenSilent) to acquire the refresh token to keep the user logged in after the access token has expired. but the limit to this is that I can refresh the token only till the session cookie is valid.
the trouble is that even though the refresh token is valid for 14 days but the session cookie expires after 24 hours and after that I cannot use acquireTokenSilent .
How to refresh the token after 24 hours of inactivity ?
You aren’t using a refresh token here, this is a JavaScript app using cookie based SSO. You can use keep me signed in to extend the users Azure AD B2C session lifetime.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-keep-me-signed-in
I successfully implemented the code grant flow against Azure AAD according to this document
Now I want to fiddle with the expiration of the refresh token I obtain.
The default expiration is 90 days and I want to lower it to 7. I want to verify that I succeeded without having to wait 7 days. The expriation of the refresh token is not returned in the API and
I am unable to decode it as a JWT token (is it even a JWT?).
Any suggestions?
I assume that you use New-AzureADPolicy or Microsoft Graph API Create Policy to set the lifetime of the refresh token.
Then you could use Microsoft Graph API Get Policy to see details of the the policy.
GET https://graph.microsoft.com/beta/policies/tokenLifetimePolicies
In the response you will see the MaxInactiveTime property which is the lifetime of the refresh token.
I don't know if there is a solution to revoke a refresh token when :
- a user reset its own password with the reset password policy ?
- a user change its own password with a specific form based on Graph API ?
I think it must be implemented for security reason but I don't if it's possible for now and if not when will it be available ?
Thanks in advance
I found a similar questions to your question Costs of B2C and Refresh tokens.
The essential part of the answer from the other question is:
The log out the web application won’t revoke the token. Azure AD doesn’t support revoking the token at present. However, we can clear the token cache if you doesn’t want users to user the token.
I did some own tests using the Azure AD Graph API and was unable to get the refresh token to expire, even when resetting the password of the user accessing the resources.
As far as I know, there doesn't seem to be any way to expire the token at the moment, except for contacting Azure support and having them expire the token.
I'm aware that the Office 365 refresh tokens expire when the user changes their password, but I'm seeing them expire almost weekly for my customers.
Is there something I've misconfigured when setting up my OAuth2 app in Azure?
Usually, the access token lasts 1 hours, the refresh token lasts 14 days.
According to the document Authorization Code Grant Flow, the lifetime of refresh token varies based on policy settings. In this case, you may check the Azure AD policy settings.
The lifetime of the refresh token is not provided and varies based on
policy settings and the time when the authorization code grant is
revoked by Azure AD. The application should expect and handle cases when the request for a new access token fails. In that case, it should return to the code that requests a new access token.
When the access token expires, you can use the Refresh Token to Request a New Access Token. The response including a new access token and a new refresh token.
The old refresh token will last 14 days, as a workaround, you can use the new refresh token which will lasts another 14 days.
Check the Sign-in Frequency settings. If enabled, the new refresh tokens returned with access tokens will expire based on the last interactive login rather than when the new refresh token was issued.