Reputation: 1455
Why do my Office 365 OAuth2 refresh tokens keep expiring so quickly?
I'm aware that the Office 365 refresh tokens expire when the user changes their password, but I'm seeing them expire almost weekly for my customers.
Is there something I've misconfigured when setting up my OAuth2 app in Azure?
Upvotes: 3
Views: 11159
Answers (2)
Reputation: 16016
Check the Sign-in Frequency settings. If enabled, the new refresh tokens returned with access tokens will expire based on the last interactive login rather than when the new refresh token was issued.
Upvotes: 0
Reputation: 4680
Usually, the access token lasts 1 hours, the refresh token lasts 14 days.
According to the document Authorization Code Grant Flow, the lifetime of refresh token varies based on policy settings. In this case, you may check the Azure AD policy settings.
The lifetime of the refresh token is not provided and varies based on policy settings and the time when the authorization code grant is revoked by Azure AD. The application should expect and handle cases when the request for a new access token fails. In that case, it should return to the code that requests a new access token.
When the access token expires, you can use the Refresh Token to Request a New Access Token. The response including a new access token and a new refresh token.
The old refresh token will last 14 days, as a workaround, you can use the new refresh token which will lasts another 14 days.
Upvotes: 6
Related Questions
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Getting token in Office 365 Oauth2 authentication
- Office 365 for AD B2C app development team
- Azure AD: will our OAuth2 access/refresh tokens be invalidated by an expiring client secret/key?
- How to handle refresh tokens in golang/oauth2 client lib
- Azure AD and Office 365 authentication for apps
- Link to office 365 account
- Why Office365 OAuth2 refresh token expires when password changes?
- user principal/service principal in Office 365