Reputation: 1389
Azure Active Directory - OAuth Authentication with Authorization Code Grant Flow and mobile
I have a Web API that uses Azure AD OAuth for authentication, that is consumed by a mobile client (android, iOS) and there are a functional requirement to avoid the user to enter again his credentials if he wants to use the application when the token and refresh token has expired. How could be the best way for handling this with Authorization Code Grant Flow ? Thanks a lot.
Upvotes: 1
Views: 1064
Answers (1)
Reputation: 1982
The quick answer is that when the refresh token is expired, the only recourse is for the user to re-enter creds.
Just in case anyone else is interested in more detail:
If you are using ADAL, the need for the user to enter credentials after the first time should be mitigated. Whenever ADAL get's an access token from the server, it also gets a 'refresh token'. When the original access token expires the refresh token can be exchanged for a new access token and a new refresh token. Redeeming a refresh token is done completely silently and as long as the refresh token is still valid, the user is never asked for credentials.
If you are using ADAL you should never need to be aware that this is happening. Both the Android and iOS ADAL libraries maintain a cache of both access tokens and refresh tokens. When you call acquireToken, ADAL will first check its cache to see if there are any valid access tokens. If there are no currently valid access tokens it will see if there is a refresh token that can be used to get a fresh access token. In other words, it will do everything possible to avoid prompting the user for credentials. In order to take advantage of this behavior all you have to do is call acquireToken each and every time you need a token. Unless you have some special requirements, there is no reason to hold on to that token beyond a single use. Just call ADAL every time you need to use an access token again.
However, AAD refresh tokens expire in about 14 days if they are not used. Each new refresh token starts the 14 day clock over again. This works for a total of 90 days. But after 90 days, the user will have to enter credentials again.
For ADFS the refresh token expiry is even shorter, something like 24 hours, unless the sign-in is from a registered device.
Upvotes: 3
Related Questions
- Proper OAuth flow using Azure AD to authenticate a internal, single-tenant mobile app
- Azure AD device flow verification_url
- Azure Mobile App Authentication & Azure AAD B2C
- Azure Mobile Service and Azure Web App authentication
- Azure AD Auth for Mobile Apps?
- Azure Mobile Services authentication client flow hook
- Authenticate Users with Active Directory via Mobile Devices
- Implementing Azure Mobile Services with OAuth and Not
- Authenticating a PHP Web App with Azure Active Directory and Azure Mobile Services
- Azure Mobile Services / Authentication