We're developing an application that uses Microsoft Identity Platform with OAuth 2.0 authorization code flow to authorize our customers. We are storing both access and refresh token to make a request later. As stated in Refresh the access token article, after the access token is refreshed, a new refresh token is received with 90 days of the lifetime:
A new OAuth 2.0 refresh token. You should replace the old refresh token with this newly acquired refresh token to ensure your refresh tokens remain valid for as long as possible. Note: Only provided if offline_access scope was requested.
We also have a background service that makes a request each day to refresh all the access tokens, so in theory it shouldn't be a situation when the customer needs to perform a login again.
Hovewer, the following error appears from time to time during the refresh process in our service:
AADSTS700082: The refresh token has expired due to inactivity.
The token was issued on {Date} and was inactive for 90.00:00:00.
AADSTS700082: The refresh token has expired due to inactivity.
The token was issued on {Date} and was inactive for 12:00:00.
I was able to find some information about the first error, but the second one looks weird. As you can see, in error it states that the refresh token lifetime is 12 hours. From the Token lifetime policies for refresh tokens and session tokens article it states that:
As of January 30, 2021 you can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the default configuration. You can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration retirement. Existing token’s lifetime will not be changed. After they expire, a new token will be issued based on the default value. If you need to continue to define the time period before a user is asked to sign in again, configure sign-in frequency in Conditional Access. To learn more about Conditional Access, read Configure authentication session management with Conditional Access.
So, in theory you cannot configure the lifetime of the refresh token, and it is always exactly 90 days.
We are aware that the refresh token could become invalid in situations where an admin revokes the token, a user changes its password, etc. However, in those scenarios we should see some other error code, not the AADSTS700082.
Is it possible that this issue is cause due to some special configuration our customers done in Azure AD (e.g. somehow limits the number of how many times the refresh token could be "refreshed")?
Thanks.
