Asp.net session timeout vs id token expiration

Question

If the ASP.NET session timeout is 20 minutes (sliding), what’s the impact of ID token lifetime and the Web app session lifetime?

The ID token lifetime seems absolute (60 min default). What happens when it expires, is a new authentication triggered at the next request or does it happen only when both the ID token and ASP.NET session are expired?

The Web app session lifetime can be both absolute or rolling (1440 min default). Is it rolling with regards to B2C or to the ASP.NET application? What’s the relationship between the ID token lifetime and the Web app session lifetime? My understanding is when the ID token is expired, if the Web app session is not expired, the user does not have to enter his credentials again, I am correct?

Answer 1

I’ll start by explaining some key scenario differences between several of the concepts you’ve mentioned below.

ID tokens: As you’ve mentioned, ID tokens lifetimes are “absolute” – while you can configure the lifetime of newly created ID tokens in the admin portal, once an ID token is created, there is no way to extend the lifetime of an existing token. If you send the ID token to some endpoint on your service, and the service determines the token is expired, then the client must acquire a new ID token from B2C.

B2C Web app session lifetime: Based on how this is configured for your policy, B2C’s web app session lifetime determines whether a new authorization sent to the /authorize endpoint can be handled without the user needing to interact with UI. Note, however, that a redirect still occurs. Commonly, the result here is a redirect by the customer’s web app to B2C’s /authorize endpoint, followed by an immediate redirect back to the customer’s web app with a newly minted ID token (which would have a new/full ID token lifetime). Visually, this can look like a “screen flicker” as the browser is quickly directed away, and back again. When this happens, if the “rolling” type has been picked for web app session lifetime, then this non-interactive web app session can be used for a new (by default, 1440 minute) window, whereas if choosing “absolute”, the time limit will still be based on the last time a fully interactive web session was performed.

As I mentioned, I’m not myself very familiar with how ASP.NET sessions work here, but the “rolling” web app the admin portal is referring to is for B2C, not ASP.NET (we have no special interaction with ASP.NET). My guess is that the ASP.NET layer is an additional layer on top of what I’ve described here. Presumably, the ASP.NET session is controlling how often ID tokens are requested and verified by the service, but you may want to follow up with that with the ASP.NET team specifically.

Another scenario not mentioned below regarding silent reauth is “refresh tokens”. Refresh token redemption is truly silent (ie, no screen flicker), and may be a preferred solution based on your setup. If you are using a single page application (aka “SPA”), there are other options available as well.

You can find out more information here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-apps