Azure AD B2C Session Timeout Has No Effect

Question

I have a custom policy in Azure AD B2C and am trying to implement a session timeout. If a user first logs in, then the timeout expires, then they attempt to log in again, they should be prompted for their user name and password again.

First I followed the instructions here to set token_lifetime_secs and id_token_lifetime_secs to 20 minutes (1200 seconds) in the TechnicalProfile for JwtIssuer in my TrustFrameworkBase.xml: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens-custom-policy

Then I uploaded my updated TrustFrameworkBase.xml.

Then I logged in from my app using my custom policy and waited 20 minutes. I tried to log in again, and was immediately authenticated and directed back to my app. I was not prompted for my user name and password again as I was expecting.

There are two previous questions on stackexchange that seem to be the same as this, but they share the same solution which no longer works (it was retired in May 2020), so I am looking for a new solution:

Even after a full hour there was no change. I'm going to try to do 24 hours next, but that may be difficult to test. — user12861, Sep 02 '20 at 23:12

score 3 · Accepted Answer · answered Sep 03 '20 at 06:36

3

It is because you adjusted the token lifetime and not session lifetime. https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior-custom-policy

Instead change the session lifetime as follows

<UserJourneyBehaviors>
   <SingleSignOn Scope="Application" />
   <SessionExpiryType>Absolute</SessionExpiryType>
   <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>

It is the cookie that is giving you SSO next time you hit the B2C page not the tokens.

answered Sep 03 '20 at 06:36

Jas Suri - MSFT

10,605
2
10
20

I've added this XML to both my login and password reset custom policies but they don't seem to work. Each time I return to a B2C page after signing in, I'm prompted for an email/password. [This page](https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-change-policy?pivots=b2c-custom-policy) mentions that the username/password can be skipped with a valid session but I haven't been able to make it do so. Is there a setting/configuration in addition to the `UserJourneyBehaviors` element that needs to be changed? – user2864874 Nov 17 '21 at 17:40
It’s default behaviour. Make sure you aren’t passing the parameter prompt=login to AAD B2C. – Jas Suri - MSFT Nov 18 '21 at 16:11

Azure AD B2C Session Timeout Has No Effect

1 Answers1

Linked