2

We are using B2C for our SPA and wanted to know if we can setup a sliding expiration for the 24 hr refresh token lifetime. Currently if a user is logged in and active still the user will get logged out after 24 hrs. Is there a way to extend the token life time or else make it sliding so that the users don't loose their unsaved work ?

As per the below reference spa always has 24 hrs only.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-lifetime-behavior

Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation. Learn more about the security implications of refresh tokens in the browser.

Sharat
  • 21
  • 2
  • Thanks @Sharat. Could you please share the scenarios for extending the refresh token for SPA. Please follow the document mentioned with the security reason for 24 hours - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview and https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow/ – Jit_MSFT Mar 23 '21 at 08:03
  • @Jit_MSFT we have a large file transfer SaaS where transfers can extend over several days. Plus, requiring customers to relogin every 24 hours is obnoxious. I can't even think of a Microsoft product that has this annoying limitation. There HAS to be a way to allow an ADB2C refresh token obtained via SPA to persist beyond 24 hours? – alfreema Mar 30 '23 at 15:15

0 Answers0