I am following the details from the recent update to the policy start pack: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
There appears to be a floor (or so I think) in the process.
I have tried to details the working and non working flow.
Is the 5 minute skew really necessary or am I missing something in my approach.
Thanks Nigel.
--- Working ---
- Request refresh token: refreshTokenIssuedOnDateTime = 13:10
- Revoke session: refreshTokensValidFromDateTime = 13:20
- Request new refresh token at 13:30: AssertRefreshTokenIssuedLaterThanValidFromDate correctly throw error as refreshTokensValidFromDateTime (13:20) > refreshTokenIssuedOnDateTime (13:10) (with 5 minute skew)
--- Not working ---
- Request refresh token: refreshTokenIssuedOnDateTime = 13:10
- Revoke session: refreshTokensValidFromDateTime = 13:12
- Request new refresh token at 13:30: AssertRefreshTokenIssuedLaterThanValidFromDate does NOT throw an error refreshTokensValidFromDateTime (13:12) == refreshTokenIssuedOnDateTime (13:10) (with 5 minute skew) refreshTokenIssuedOnDateTime = 13:10
- Request new refresh token at 15:00: AssertRefreshTokenIssuedLaterThanValidFromDate does NOT throw an error refreshTokensValidFromDateTime (13:12) < refreshTokenIssuedOnDateTime (13:30) (with 5 minute skew) refreshTokenIssuedOnDateTime = 15:00
- Same as 4 as new refresh tokens always later than refreshTokensValidFromDateTime
To sum up it would appear that if I revoke the session within 5 minutes of the refresh token being issued then I will fall into the non working flow.
