stackoom
  简体   繁体   中英

Increase access token lifetime in Azure AD

 原文  2023-01-17 07:57:32       azure/ azure-active-directory/ access-token

Question

I have a multi-tenant azure app that is authorized by the clients using Authorization code flow. The access token I get from the flow has a TTL of 1 hour on average whereas refresh token has 90 days. I am using this access token on behalf of the users to fetch some of their resources. Can I increase the access token lifetime? I am playing around with Configure token lifetime policies (preview) . However, I am not sure if this should be done by me (azure app tenant) or by the clients (in their tenant).

1 answers

solution1
 1  2023-01-17 14:21:47

I tried to reproduce the same in my environment and got the results like below:

I created an Azure AD Multi-Tenant Application:

在此处输入图像描述

I created an Azure AD Policy for 2 hours in the Parent Tenant ( where the Azure AD App resides ) and token generated successfully with 2 hours lifetime:

GET https://login.microsoftonline.com/organizations/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/user.read 
grant_type:authorization_code
redirect_uri:RedirectUri
code:code

在此处输入图像描述

But when I tried another user from a different tenant the token did not have an extended lifetime (2 hours).

在此处输入图像描述

After the first login to the Azure Multi-Tenant Application by another tenant user, the Application will be added in Azure Enterprise Application in another tenant like below:

在此处输入图像描述

Now, I tried to add Azure AD Token Lifetime Policy for another Tenant like below:

Connect-AzureAD 
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
$sp = Get-AzureADServicePrincipal -Filter  "DisplayName eq 'rukmt'"
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id>'"

在此处输入图像描述

For both the Azure Tenants the Azure Token Lifetime Policy has been applied by using the same application.

I tried to generate token using the second Tenant User:

在此处输入图像描述

The token successfully got generated with 2 hours of Token Lifetime like below:

在此处输入图像描述

If still the issue persists , check if the policy is overridden by a policy with a higher priority.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Validate Azure AD access token with spring security Customize token in Azure AD Cognito Authorization with Azure AD SAML integration returns id_token and access_token but no refresh token Azure AD B2C Not getting Access Token Terraform Azure Linux VM with Azure AD Access Angular 12 - Azure AD Token - Assign Custom Roles Azure AD B2C JWT Token Signature Validation Failed How to refresh access token received with Azure authentication? Azure AD DS -- Create Failover Cluster Instance (Access Denied) Prevent users with Azure AD accounts to access my storage
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM