0

I've been building Azure Active Directory apps for years to use Oauth2 authentication, and to be able to access my users emails or agenda.

From what I remember from apps I was developing about 1 year ago, the refresh_token returned in the Oauth2 process was expiring after about 2 months.

Now they seem not to expire anymore, which seems to be confirmed by documentation (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#token-lifetimes-with-confidential-client-refresh-tokens).

As Microsoft documentation can be contradictory and things have been moving fast lately on Azure API integrations, does anyone know if they expire, or if there is a way to get this info from a refresh_token?

Nico
  • 1,580
  • 14
  • 21
  • The refresh token can do expire. But it can refresh the access token and a new refresh token when use the old refresh token. – Wayne Yang Dec 14 '18 at 05:15
  • @WayneYang-MSFT not sure to understand: do you mean I can get a new refresh_token each time I use the existing refresh_token to get a new access_token? That would mean if I do this on a regular basis, I can have valid refresh_tokens as long as the user does not revoke my app? – Nico Dec 14 '18 at 08:45
  • Hi, @Nico , Yes, you're right. You can get a new fresh token each time. But you can also to configure the token lifetime of the refresh token or revoke the refresh token if it's necessary. – Wayne Yang Dec 14 '18 at 09:20
  • @WayneYang-MSFT great, thanks. How can I configure the lifetime of the refresh token? – Nico Dec 14 '18 at 09:56
  • Hi @Nico, please see it here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes – Wayne Yang Dec 17 '18 at 05:02

0 Answers0