1

I'm trying to achieve a scenario where having a no expiry refresh token in my react application so users don't need to keep re-login every 24 hrs. But in the current implementation with the MSAL js library, it is only allowing to use of the Authorization code flow and it is not allowing to have no expiry tokes as per this documentation[1][2].

Is there any way we can use Azure AD B2C with no expiry refresh token? using SPA app with MSAL or any other react OIDC library

Highly appreciate Microsoft azure b2c experts insights on this

Thanks

[1]https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas#security-implications-of-refresh-tokens-in-the-browser

[2]https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow#token-lifetime-behavior

DEELAKA
  • 39
  • 1
  • 7

2 Answers2

2

As the docs imply, the RT is 24hours fixed for SPA apps.

You can use Keep Me Signed In as a way to get long lived sessions.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow#enable-keep-me-signed-in-kmsi

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
1

As per the document SPAs will be issued tokens valid for only 24 hours. Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours and for the other apps we do not experience this limitation.

there is no other way to set the no expiry refresh token.

JayakrishnaGunnam-MT
  • 1,548
  • 1
  • 5
  • 9