ADB2C refresh_token 总是在一天后过期

Question

I've been struggling with adb2c for a while now. In particular the refresh flow. I'm using the latest version of msal-browser and everthing works fine, refreshing the token works well. The only problem is that the token endpoint returns a refresh_token that will always expire in one day. In this case, a user can only be logged in for a day, after that, the user will always have to re-authorize. Here is an example of the endpoint and what it returns directly after logging in. (note that I have set the access_token expire time on 5 mins for testing purposes)

Endpoint:

https://{b2c_domain.onmicrosoft.com/{b2c_policy}/oauth2/v2.0/token

Response:

{
    "access_token": "{access_token_hidden}",
    "id_token": "{id_token_hidden}",
    "token_type": "Bearer",
    "not_before": 1610023338,
    "expires_in": 300,
    "expires_on": 1610023638,
    "resource": "{resource_hidden}",
    "client_info": "{client_info}",
    "scope": "https://{adb2c_domain_hidden}.onmicrosoft.com/api/user_impersonation",
    "refresh_token": "{refresh_token_hidden}",
    "refresh_token_expires_in": 86400
}

When, at some point, the application will try to refresh a token, it will call the token endpoint again. This is what a second response looks like:

{
    "access_token": "{access_token_hidden}",
    "id_token": "{id_token_hidden}",
    "token_type": "Bearer",
    "not_before": 1610023891,
    "expires_in": 300,
    "expires_on": 1610024191,
    "resource": "{resource_hidden}",
    "client_info": "{client_info}",
    "scope": "https://{adb2c_domain_hidden}.onmicrosoft.com/api/user_impersonation",
    "refresh_token": "{refresh_token_hidden}",
    "refresh_token_expires_in": 85846
}

The refresh_token_expires_in is not rolling. But that is understandable, the user should not always stay logged in. But, in my adb2c policy the following settings are active:

I would assume, as I have configured in the settings, the refresh token should at least be active for 14 days. If not, even up to 90 days? I can play with the settings, but it will always give me a refresh_token that lasts for 1 day. Does anyone has any experience with this or has a possible solution? Thanks!

Answer 1

Yes, as you think, the lifetime of the refresh token can be up to 90 days. If you need to configure the lifetime of the refresh token, you should use powershell to create a token lifetime policy, and then assign the policy to your service principal to set the token lifetime. See: here .

---

Update:

I just used the Azure AD B2C portal to set the lifetime of the refresh token to 14 days, and then tested it with the ROPC user flow , and the result was that it did take effect. The refresh token I got was 14 days.

So, please make sure that the user flow that you set the lifetime of for the refresh token is the user flow you are using, which is very important!

By the way, your endpoint is wrong, it should be:

https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/{b2c_policy}/oauth2/v2.0/token

2.

3.

Answer 2

If you are using the Msal-Browser which implements the code grant with PKCE in SPA application. For this case, you will get the refresh token which will have a expiry of 24 hours and that is not rolling. After 24 hours you need to go to /authorization endpoint of azure ad to get the new access and refresh token. This can also be also non-interactive flow if the browser has the valid login session.

In the Msal-browser library, If you have configured the session more than 24 hours then you can perform the Silent login with ssoSilent(), it require you to send the login_hint.