Reputation: 2496
What is refresh token and can we control refreshing the ID and Access token in AADB2C?
My team is working on implementing or rather configuring B2C login for our client's mobile app. We got the configuration setup to a point where the user can login to the app once and the token gets cached in MSAL. And next time onwards, the user is able to directly login without entering his/her credentials. We are following the pattern as described here
Our code first tries to retrieve the token using AcquireTokenSilent and if the token is not present in the MSAL cache, then we retrieve it using AcquireTokenInteractive.
I was trying to understand how the ID and Access tokens are refreshed and found on MS docs here about tokens which says
Refresh tokens are used to acquire new ID tokens and access tokens in an OAuth 2.0 flow. They provide your application with long-term access to resources on behalf of users without requiring interaction with those users...
This also mentioned that when we redeem the refresh token to get new ID and Access tokens, we also get a new refresh token that replaces the previous refresh token.
Now I tried logging out and log back into my mobile app after 1 hour or more and I was still able to login. When I inspected the claims, the ID and Access token expiry was refreshed to next 1 hour of login.
My question here is:
- Since ID token and Access tokens have default expiry to 1 hr, then how is it that even though I was logged out for more than an hour, my token refreshed and I was able to login without entering user credentials.
- If this is because refresh token automatically refreshes the ID and Access tokens when they approach their expiry, then does this process go on till the refresh token expires itself.
- The MS docs also mentioned that when the ID and Access tokens are regenerated after their expiry, we also get a new refresh token. If this is the case then the refresh token would never expire since the new token will always have new expiry.
- Is there a way to control the refresh token so that we can control when to refresh the ID and Access tokens.
I am sorry if I missed anything but I am a little confused on how the refresh token works and is there a way to control when to refresh the tokens and when not.
Thanks in advance.
Upvotes: 1
Views: 1199
Answers (1)
Reputation: 42123
Yes, the refresh token is used to get the new id token and access token, even the id token and access token were expired, as long as the refresh token does not expire, it could use the refresh token to get new id token and access token, meanwhile, a new refresh token will be generated, if you want to configure the token lifetime, you could do that in the portal.
Reference - https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow
Upvotes: 0
Related Questions
- Refresh token revocation in Azure AD B2C
- Azure AD refresh token expire
- My refresh_token of Azure ADB2C in Blazor Server App is empty, while my id_token is provided
- Is Refresh Token relevant for OIDC IdentityServer Azure AD SSO Implementation?
- How to refresh access token in web application using Azure Active Directory
- Azure B2C Web app - how authenticate with refresh token beyond web app session lifetime
- In what situations will a refresh token be revoked/invalidated?
- Getting refresh token after password reset in Azure AD B2C
- Azure AD B2C OpenID Connect Refresh token
- Azure Active Directory B2C: how to refresh a token