0

In doc https://learn.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes, it said:

Confidential clients are applications that can securely store a client password (secret). They can prove that requests are coming from the secured client application and not from a malicious actor. For example, a web app is a confidential client because it can store a client secret on the web server. It is not exposed. Because these flows are more secure, the default lifetimes of refresh tokens issued to these flows is until-revoked, cannot be changed by using policy, and will not be revoked on voluntary password resets.

Now for my webAPI app, I should make sure refresh token neve expire.

My questions:

1.Does refresh token for Confidential clients neve expire until revoked?

2.When I use old refresh token to get new access token, server will return a new refresh token which is difference from old refresh token. Should I use new refresh token to replace old refresh token? Or is that both old and new refresh tokne will neve expire unitl revoke?

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
Jason Liu
  • 21
  • 5

1 Answers1

0

One critical piece of text in that documentation:

will not be revoked on voluntary password resets

So it means for confidential clients, refresh tokens are not revoked if the user changes their password. However, I do not believe this applies to a reset done by an admin.

Whenever you use refresh tokens, you must be prepared for the case when the token does not work.

If your app has critical features depending on that access and cannot handle downtime for access to the data, you need to use application permissions.

There is this bit for the second question:

Refresh Token Max Inactive Time (issued for confidential clients) 90 days

So a refresh token which is not used for 90 days will no longer work. I would replace the current refresh token with the new one always, and make sure to refresh the refresh tokens periodically if it is possible they don't get used.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Yes now I just use new refresh token to replace old refresh token always and periodically use refresh token. Refresh Token Max Inactive Time (issued for confidential clients). If we use one refresh token, and make sure it will be used during 90 days. Should we use this refersh token all the time? – Jason Liu Jul 31 '18 at 10:47
  • That's one thing I am not 100% sure about (and I think the docs are a bit unclear). I have not tested that scenario where you do use the refresh token. To be sure, I'd just make sure to get a new refresh token within that time. – juunas Jul 31 '18 at 10:49
  • Thanks for your reply. From doc it looks like that. I use azure ad webAPP to get users/groups from customer. Yes we'd better use new refresh token to replace old refresh token. – Jason Liu Jul 31 '18 at 10:54