While trying to find a way to maximize the time before a user has to do a reauthentication (especially in cases when the user does a social login, e.g. sign in with microsoft).
I have stumbled upon this microsoft documentation which states token lifetimes.
Microsoft docs - token lifetimes
As well as these MSAL docs (which is the library that I use on my web application)
Both of these sources state limitations I have found to be not true:
Microsoft docs
token_lifetime_secs - Access token lifetimes (seconds). The default is 3,600 (1 hour). The minimum is 300 (5 minutes). The maximum is 86,400 (24 hours).
I have found that while uploading the B2C policy there is a validation which states the following.
The access token lifetime should be between 5 minutes and 10080 minutes
Setting this up, issuing a B2C token as a part of a SPA login flow I was able to decode an access_token which has a lifetime of 7 days until moment of issue
This conflicts with the Microsoft docs that the access_token lifetime is limited to 24 hours.
Does anyone have experience with this, what is the real lifetime of the access token?
If I store this access_token in local storage will the user have a persisted session for the next 7 days? Because as I understand from the MSAL docs, as long as the access_token is not expired, a refresh_token will not be used (this refresh_token has a lifetime of 24h non-extendable, and independent on how many refreshes were done previously) and thus the user will maintain access to the app of 7 days without the need to reauthenticate.
How does the B2C custom policy session lifetime come into play here?
What is the relationship of the custom policy session lifetime to the access token and MSAL?
No comments:
Post a Comment