Refresh Token expired with ActiveDirectory version 2.24 and upgrading to version 3.10

1
votes

We recently started working on a solution where we want access to user's resources as part of server-to-server calls and authenticated the users with Microsoft work accounts with Azure AD's OAuth 2.0 approach. We implemented OAuth 2.0 authentication using Microsoft.IdentityModel.Clients.ActiveDirectory Version 2.24 and released in market. About 2 days back, we started getting following errors for some users "The refresh token has expired because of inactivity for 14 days" After investigating, We found the following:

  • By Default, Azure AD refresh tokens are valid for about 14 days.
  • Access token can only be refreshed for a maximum period of 90 days (given that we "refresh" our refresh token)
  • 90 days after the initial issuance of the access and refresh tokens, the end user will have to sign themselves in again
  • Currently, these settings are not configurable in Azure AD In order to solve the issue, we were trying to move to the recently released Microsoft.IdentityModel.Clients.ActiveDirectory Version 3.10. While upgrading from library version 2.24 to 3.10, I was not able to use the RefreshToken that I persisted after serialized using version 2.x, error occurred while doing deserializing with version 3.x (I noticed that the class TokenCache has undergone some changes).

So, I have following questions:

  • Since, the refresh token in question was getting used to acquire access tokens regularly during the 14 days period, we would like to undertand “What is the definition of "inactivity" for a refresh token?” If it only contains getting access tokens, why did the refresh token expired at the first place? Please note that the call that I was using to get the access token was AuthenticationContext.AcquireTokenByRefreshToken. Could that be the issue? (Link to ADAL 3 didn’t return refresh tokens for ~5 months…
  • How can I use the persisted serialized 2.x token cache with the library version 3.x?
  • Given that we move to the version 3.x and use the calls AuthenticationContext.AcquireTokenSilentAsync to get the access tokens on a regular basis, I won't run into the above issue again for a period of 90 days. Can you please confirm the approach I am taking.
  • Can we get the refresh token for more than 90 days period to avoid asking the user to re-authenticate every quarter?
  • Do the refresh Token gets invalidated if user changes the password?
1
azure-active-directoryadal

1 Answers

0
votes

It is really late to answer this, by now you may have figured it out the solution. If so, please post your answer. I had same problem when we shifted to AD 3.10 yesterday and I was missing a call to below line and it worked

 var authenticationResult = await authContext.AcquireTokenByAuthorizationCodeAsync(httpCookie.Value, uri, credential);

YOu have to give a call to this before you call authContext.AcquireTokenSilentAsync( ...) Please try at your end .