3

I'm using AAD to lock down my azure web app and api. I am calling /.auth/me to retrieve the authenticated user's tokens, and then using the id_token to authenticate the user to the api. The id_token expires in 1 hour, which should be fine as you can call /.auth/refresh to get new tokens. Issue is that "refresh" only seems to refresh access_token and refresh_token, not id_token. Only way I can get a new id_token is if i open a fresh incognito and re-authenticate.

Any ideas on this? id_token is acceptable to lock down an api, no? access_token doesn't have claims on it so i'm interested in using id_token.

Matt M
  • 1,093
  • 2
  • 11
  • 26

1 Answers1

1

Yes, we can not use refresh_token to renew an id_token. If you want to refresh an id_token, we can just re-authenticate for the id_token.

And in my opinion, if the id_token is just be used for passing user identity in a standardized structure (JWT) then the backend will treat it as a plain JWT and ignore the expiry. It will assume the called is authenticated.

Hury Shen
  • 14,948
  • 1
  • 9
  • 18
  • thanks for the feedback. i don't want to create an ever-living token as i'm using it for security. it sounds to me like i need to pass the access_token and the id_token; access_token for expiry purposes and id_token for claims. is that correct? – Matt M Mar 30 '20 at 12:09
  • 1
    Talked to MSFT's product group and the "easy auth" of configuring on the azure web app is legacy and does not support the latest standards. as such, it will not work as I need it to. i need to implement my own authentication, such as using msal for angular – Matt M Mar 31 '20 at 18:54