What is the access_token lifetime for a B2C custom policy used by a SPA application?

By -

While trying to find a way to maximize the time before a user has to do a reauthentication (especially in cases when the user does a social login, e.g. sign in with microsoft).

I have stumbled upon this microsoft documentation which states token lifetimes.

Microsoft docs - token lifetimes

As well as these MSAL docs (which is the library that I use on my web application)

MSAL docs - token lifetimes

Both of these sources state limitations I have found to be not true:

Microsoft docs

token_lifetime_secs - Access token lifetimes (seconds). The default is 3,600 (1 hour). The minimum is 300 (5 minutes). The maximum is 86,400 (24 hours).

I have found that while uploading the B2C policy there is a validation which states the following.

The access token lifetime should be between 5 minutes and 10080 minutes B2C validation regarding access_token lifetime in the JwtIssuer TP

Setting this up, issuing a B2C token as a part of a SPA login flow I was able to decode an access_token which has a lifetime of 7 days until moment of issue

Decoded access token claims showing that expiry date is 7 days from moment of issue

This conflicts with the Microsoft docs that the access_token lifetime is limited to 24 hours.

Does anyone have experience with this, what is the real lifetime of the access token?

If I store this access_token in local storage will the user have a persisted session for the next 7 days? Because as I understand from the MSAL docs, as long as the access_token is not expired, a refresh_token will not be used (this refresh_token has a lifetime of 24h non-extendable, and independent on how many refreshes were done previously) and thus the user will maintain access to the app of 7 days without the need to reauthenticate.

How does the B2C custom policy session lifetime come into play here?

What is the relationship of the custom policy session lifetime to the access token and MSAL?



Comments

Post a Comment

Popular posts from this blog

Today Walkin 14th-Sept

By -
Image
14th Sept 2017 ( GO Through all List) Read Walkin details properly , Try to call company before attending if possible !!! ==================================== 1. Myntra through fresherworld (Call Based , Venue shared to shortlisted candidates) _____________________________ 2. Magna : Hiring for Client Harman : C++
Read more

Spring Elasticsearch Operations

By -
Elasticsearch Operations Spring Data Elasticsearch uses two interfaces to define the operations that can be called against an Elasticsearch index. These are ElasticsearchOperations and ReactiveElasticsearchOperations. Whereas the first is used with the classic synchronous implementations, the second one uses reactive infrastructure. The default implementations of the interfaces offer: Read/Write mapping support for domain types. A rich query and criteria api. Resource management and Exception translation. ElasticsearchTemplate The ElasticsearchTemplate is an implementation of the ElasticsearchOperations interface using the Transport Client. @Configuration public class TransportClientConfig extends ElasticsearchConfigurationSupport {   @Bean   public Client elasticsearchClient() throws UnknownHostException {                      Settings settings = Settings.builder().put("cluster.name", "elasticsearch")....
Read more

Hibernate Search - Elasticsearch with JSON manipulation

By -
Elasticsearch with JSON manipulation Elasticsearch ships with many features. It is possible that at some point, one feature you need will not be exposed by the Search DSL. To work around such limitations, Hibernate Search provides ways to: Transform the HTTP request sent to Elasticsearch for search queries. Read the raw JSON of the HTTP response received from Elasticsearch for search queries. Direct changes to the HTTP request may conflict with Hibernate Search features and be supported differently by different versions of Elasticsearch. Similarly, the content of the HTTP response may change depending on the version of Elasticsearch, depending on which Hibernate Search features are used, and even depending on how Hibernate Search features are implemented. Thus, features relying on direct access to HTTP requests or responses cannot be guaranteed to continue to work when upgrading Hibernate Search, even for micro upgrades (x.y.z to x.y.(z+1)). Use this at your own risk....
Read more