I have a long running application (many days/weeks). Is there anyway to get OAuth access that is not tied to the 14 day refresh token expiry? No matter what I try I lose access in 14 days. It would put a huge burden on our users to have to re-authenticate every N days.
Azure AD Refresh tokens have a sliding expiry of 14 days, up to a maximum of 90 days. That is, as long as you use the refresh token in those 14 days, you will get a new refresh token valid for another 14 days. So your users would only need to re-enter credentials every 90 days.
That being said, for long running applications, the Client Credentials Flow may be more suitable. This uses Application Permissions rather than Delegated Permissions (so you may need to change the permissions in the Azure portal). If you really need to make your calls as a particular user it may not work in your case.
Related
We are using azure AD, b2c authentication in our MVC application.
We set our token expiry timeout to 4 hours but still it is expiring within 10 to 15 minutes when user is using the application. When we refresh the page then token is refreshing.
This is causing a big issue for us, due to sudden expiry of token, user cant use the application and his whole work is lost if he refresh the page to refresh token.
Please suggest me a solution to this.
Tried by giving even more token expiry time but still causing the issue, tried in different ways but nothing worked.
const router = express.Router();
router.post('/refresh', ...{})
The access token expiration period is 7 days and the refresh token expiration period is 30 days. If 7 days have elapsed, it notifies the mobile app client that it has passed, and the client sends a refresh token to the server to check if the refresh token is valid, and immediately receives a new access token for 7 days and a refresh token for 30 days. It's all right here, right?
But what about after 30 days?? What if the user doesn't log in for 30 days? The refresh token will also expire. And I want to keep sign in forever. (This is the for mobile app, so re sign in is not good for user experience) I don't know what to do at this time.
You have a few options depending on the intended functionality and security requirements of your application.
Change expiry period of one or both tokens, possibly make refresh token infinite to maintain some security
Is background refresh an option you can consider? If this can be completed without the user having opened the app it will work well for you.
Store user credentials and re-login (either automatically or manually) if re-accessing after the refresh token has expired.
We are using B2C for our SPA and wanted to know if we can setup a sliding expiration for the 24 hr refresh token lifetime. Currently if a user is logged in and active still the user will get logged out after 24 hrs. Is there a way to extend the token life time or else make it sliding so that the users don't loose their unsaved work ?
As per the below reference spa always has 24 hrs only.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-lifetime-behavior
Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation. Learn more about the security implications of refresh tokens in the browser.
Is there a way to have usernames/passwords only work for 1 hour to an Azure website? I've looked into expiring tokens, but I'm not sure if that's the right idea.
Great question. But right now - no, there is no way to make an AAD user be only active for given period of time. Tokens always expire. An application typically only needs the token at first authentication step (when the user came from the Security Token Service) - to validate it and extract claims and eventually a refresh token. After that the original token is no longer used anyway.
Have been reading on refresh token and could not find on the following. information
When does an refresh token expire?
Can a password change by the main user cause a refresh token to expire?
Can I explicitly set some dates for expiration of refresh token
Thanks
Chris
Have a look of this post.
http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/
Refresh tokens last for 14 days, but If you use a refresh token
within those 14 days, you will receive a new one with a new validity
window shifted forward of another 14 days. You can repeat this trick
for up to 90 days of total validity, then you’ll have to
reauthenticate.
Refresh tokens can be invalidated at ANY time, for reasons
independent from your app (e.g. user changes password). Hence you
should NOT take a dependency on the above in your code – your
logic should always assume that the refresh token can fail at any
time.
Refresh tokens issues for guest MSA accounts last only 12 hours