Reputation: 665
Azure B2C Web app - how authenticate with refresh token beyond web app session lifetime
I have a web app that requires users enter credentials to get access to graph.com. I'm using user flow policies. I can get id_token, and request access_token and refresh_token with this id_token. For testing purposes I setup the following lifetime settings:
After 15 minutes from the time the user logged in, I navigate to the web app uri again and the user is asked to re-enter credentials but I'd like to avoid re-entering credentials (for a controlled time).
Azure documentation says cookies expire at the end of Web browser session and web app session lifetime is maxed at 24 hours and I'd like to understand if I can use my refresh_token to override this 24 hour limit to re-authenticate.
Can I request a new refresh token when the browser points to the web app uri again so the user doesn't need to login again? And if so I don't see where is it customary to intervene (web app code? controller?) with this request and do I then need to send notification to Azure AD to let it know the user is authenticated? I can see in Fiddler a request to re-enter credentials (oauth2/v2.0/authorize) so not sure what steps to take when.
Thank you
Upvotes: 0
Views: 409
Answers (1)
Reputation: 11335
Refresh tokens are used in a Web App when the user is interacting with the website, but the access token has expired. The web server will make a call to B2C to refresh the access token.
Cookies are used when the user explicitly is sent to the /authorize endpoint by the Web App. This allows B2C to SSO the user in, or prompt for any interaction. This is used to give cross application SSO, or SSO within journeys, eg Sign In -> Profile Edit (cred prompt is supressed).
Based on that:
Can I request a new refresh token when the browser points to the web app uri again so the user doesn't need to login again?
No you can't.
You need to increase the B2C Web App SSO lifetime, such that if a user browses to your web app after closing the tab (not browser), they get SSO. Since here they will hit the /authorize endpoint, the setting in play is the Web App SSO lifetime, ie the B2C Cookies.
You might want to look at KMSI if you need more than 24 hours, however it is a persistent cookie, so closing the browser will not log the user out. This will need custom policies.
Upvotes: 1
Related Questions
- Unable to get refresh token in Blazor Application using B2C and AddMicrosoftIdentityWebApp
- Getting Refresh Token in Azure B2C, with Azure AD App being the third party IDP
- Azure AD B2C - Refresh_Token refresh claims via REST (Identity Experience Framework)
- How to refresh access token in web application using Azure Active Directory
- Getting refresh token from Microsoft Identity Platform
- Getting refresh token after password reset in Azure AD B2C
- Azure AD B2C OpenID Connect Refresh token
- Token based authentication for both Web App and Web API using Azure AD B2C
- Azure Active Directory B2C: how to refresh a token
- How to configure Azure AD to enable refresh tokens