Azure Oauth - how to change token expiration time?

Question

We are using Oauth2 with Azure. And by default server returns token with an hour interval for expiration. Is there any way change expiration interval?

Answer 1

It is now possible to configure the token lifetime. You can read more here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes.

Remark: This feature is in preview and will not go to production in this way. The following header is also placed on the documentation link I mentioned above.

After hearing from customers during the preview, we're planning to replace this functionality with a new feature in Azure Active Directory Conditional Access. Once the new feature is complete, this functionality will eventually be deprecated after a notification period. If you use the Configurable Token Lifetime policy, be prepared to switch to the new Conditional Access feature once it's available.

Original answer:

Currently there is no way to change the expiration interval. These are the current expiration times.

• Access tokens last 1 hour

• Refresh tokens last for 14 days, but

  • If you use a refresh token within those 14 days, you will receive a new one with a new validity window shifted forward of another 14 days. You can repeat this trick for up to 90 days of total validity, then you’ll have to reauthenticate
  • Refresh tokens can be invalidated at ANY time, for reasons independent from your app (e.g. user changes password). Hence you should NOT take a dependency on the above in your code – your logic should always assume that the refresh token can fail at any time
  • Refresh tokens issues for guest MSA accounts last only 12 hours

Source: http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/ and also my own experiences.

Answer 2

You have to use power shell to perform 2 steps as below:

1. Create new policy. This policy sets timeout 2 hours New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "MyWebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

2. Apply this policy to your website

   Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

Note: In order to get ObjectId of the ServicePrincipal, run this command: Get-AzureADServicePrincipal

To get ObjectId of the Policy, run this command: Get-AzureADPolicy

For more detail you can refer to this document: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes

Answer 3

Assuming you're talking about Azure AD, AFAIK it is not possible to do so.

However, in the response along with token you get back a refresh token as well that can be used to get a new token. What you can do is cache the refresh token and expiry time and before making a request you can check if the token has expired (or about to expire). In that case you make use of this refresh token to get a new token and then make your request.