azure ad b2c session doesnt expire

Question

I have an ASP.net MVC webapp, which is using Azure AD B2C to authenticate the users. The cookie in ASP.net mvc app is set to expire after 20 minutes rolling timeout. The settings in the AD B2C are as follows :

• Access and ID token lifetime = 20 minutes
• refresh token lifetime = 14 days
• refresh token sliding window lifetime = bounded, 90 days
• claim representing policy ID = tfp
• Web app session lifetime = 20 minutes
• WebApp session timeout = rolling
• Single Sign on configuration = application
• request ID token in logout requests = no

Here is the sequence :

• open the app url
• login into AD b2c, redirect back to app home page
• close the tab on browser
• open the home page url in a new browser tab after 30 minutes
• due to ASP.net MVC cookie session timeout, app redirects to AD B2C
• Instead of asking for credentials, Azure AD B2C silently logs in user
• User is redirected back to home page

Why is the Azure AD B2C cookie not expiring and user not being asked to authenticate again ? I would assume that using the settings above in AD B2C should cause the user to re-login, which is my desired behaviour.

Note, The "Keep me signed in" option is disabled and cannot be set by the user.

Also,I am not using offline_access scope and hence a refresh token is not given to my app. So it is not the refresh token that is causing the issue.

Answer 1

You might be experiencing the same issue as I have. See the answer on Azure AD B2C logout after session timeout

Answer 2

As per my understanding, in your scenario described above the refresh token is still valid and will be used to acquire new ID token without user interaction.

Refresh tokens are security tokens that your app can use to acquire new ID tokens and access tokens in an OAuth 2.0 flow. They provide your app with long-term access to resources on behalf of users without requiring interaction with those users.

Reference Document - Azure AD B2C: Token reference