Controlling expiry of auth token using Azure Active Directory client credential flow

Question

I am using the endpoint /oauth2/token to request (via a HTTP POST) an authentication bearer token from Azure Active Directory. Everything is setup fine within AAD to register the web client which retrieves this token using this flow. A client_id and client_secret (shared symmetric key) is used and I successfully get the json response containing the jwt bearer token for auth.

What I am trying to understand is to know how we can configure the expiry of the token beyond the 1 hour expiry which seems to be on the token I acquire via this POST request. The shared key which I generated in the Azure AD classic portal has a 2yr expiry. However, the token returned has 1hr expiry.

Based on this, I am assuming that the way this flow works (at least as far as AAD is concerned) is that the our web client needs to schedule itself to re-post a request for a new auth token within the 1hr timeframe to ensure the freshness of the auth token used for authenticated REST calls made by the web client. I guess it could also trap an exception if the previously issued token fails and then make a new request (that's just implementation details...).

Is this the normal way of keeping an auth token refreshed for this flow ? I know that with most of the other flows, a refresh token is generated and the OAuth "dance" can be done to keep the auth token valid. ADAL abstracts all those details nicely but in this case I am using the client credential flow and using a HTTP POST request to the oauth2/token endpoint and within this flow (in accordance with the OAuth2 RFC) no refresh token is provided. ]

I had assumed that maybe it was possible to configure a longer expiry on the OAuth token, maybe even an indefinite token for this server/to-server confidential client scenario. Is this possible within the Azure AD settings ?

The document linked at Azure AD token lifetime config suggests that the lifetimes are configurable.

Answer 1

An easy way to get a new token before the last one expires is to just keep track of when it will expire. So then whenever you fetch a token for an HTTP call:

1. If we don't have a token, get one
2. If the expiry time is getting close, get a new one
3. No matter what, return either the cached token or the new token

And lifetimes can indeed be configured per service principal, application or organization per the document you linked. So you should be able to extend your access token lifetimes to 1 day if you wish.

I have confirmed you can indeed extend the access token expiry time on Free tier of Azure AD as well. The disclaimer on the documentation page does say that some features may require Premium in the future. And doesn't really say what :/

You need the Azure AD v2 PowerShell cmdlets to do this. A couple commands is enough:

Connect-AzureAD
# Create new policy in Azure AD
New-AzureADPolicy -Definition @("{`"TokenLifetimePolicy`":{`"Version`":1,`"AccessTokenLifetime`":`"03:00:00`"}}") -DisplayName ThreeHourTokenPolicy -IsOrganizationDefault $false -Type TokenLifetimePolicy
# Apply on Graph API's service principal in my directory
Add-AzureADServicePrincipalPolicy -ObjectId ad17cfce-f2fd-4b3e-91f5-aa0a82e94012 -RefObjectId 640f76ea-6ef6-40c8-8ed5-178a76e7e762

You do have to find out what the service principal's object id is for e.g. the Graph API to set it just for tokens from there. Alternatively you can just set -IsOrganizationDefault $true in the second call and leave out the third entirely, making the policy apply to all service principals and applications unless they have a more specific one.

There are no indefinite access tokens in Azure AD, though you can set refresh token lifetime to until-revoked.