Reputation: 99
How to keep user signed in after the browser has been closed and 24 hours has expired in SPA (ADB2C)
Currently Azure AD B2C issues a refresh token that is valid for 24 hours (non-configurable, non-renewable) for single page apps that use the PKCE code flow.
When that 24 hours is expired from the initial sign in the user needs to reauthenticate with the AD B2C. If the browser has been closed during that time the AD B2C session is lost and now user must interactively reauthenticate. I don't understand how this could be acceptable default user experience for most web apps.
Is there any way to work around this? Perhaps a way to make the AD B2C session persistent so that it survives browser closes and full interactive reauthentication is avoided. I don't want to have the only web app in the universe that requires the user to sign in again every 24 hours.
Edit: We're using external identity providers so KMSI for local accounts doesn't really help.
Upvotes: 0
Views: 1763
Answers (1)
Reputation: 2447
You can use keep me signed in to extend the users Azure AD B2C session lifetime.
Please Refer: https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-keep-me-signed-in
Update:
The Azure AD B2C Session Cookie will always be evaluated first to determine if the user should be sent back to their federated IdP to do a new authentication. Only when both the Azure AD B2C session cookie and the federated IdPs session cookie are expired, will the user have to re-enter their credentials at the federated IdP.
To prevent the user having to go back to the federated IdP to authenticate, you can raise the AAD B2C session cookie lifetime beyond that of the federated IdP session cookie lifetime.
When using Custom Policy, you can use the Session Management technical profile to make sure the federated IdP authentication is part of the session itself.
See how we did this for the Google IdP with the use of SM-SocialLogin:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-goog-idp#add-a-claims-provider
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
Add this line to the federated IdP technical profile to make sure its part of the AAD B2C session.
Once you are app is closed you may need to login again, because your app cookes is not persisted.
You could maintain a cookie set by the app to automatically send the user via the login endpoint if they had signed in previously with KMSI. You can use a claims resolver to send the KMSI claim into the token so your app can understand the user logged in with KMSI. https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
SessionExpiryType/SessionExpiryInSeconds - not related to KMSI cookie. Relates to B2Cs normal SSO Cookie.
KeepAliveInDays - KMSI Cookie lifetime.
Please see this document for more clear information
https://learn.microsoft.com/en-us/azure/active-directory-b2c/relyingparty#userjourneybehaviors
Upvotes: 1
Related Questions
- ASP.NET Core Auth not staying signed in after browser closes (Azure AD B2C)
- Azure AD B2C logs users out after 24h
- User needs to re-authenticate with Azure AD B2C after the user closes and reopens the browser
- Azure AD B2C logout after session timeout
- Azure AD B2C Session Timeout Has No Effect
- AD B2C: Keep Me Sign In cookie expiration time for built in sign in signup flow
- AD B2C Keep me signed in - maximum session length?
- azure ad b2c session doesnt expire
- B2C Web app session lifetime
- How to keep user signed in longer when using Azure Active Directory (AAD)?