Different refresh token lengths with ADFS

2
votes

Is it possible to set ADFS to have short-lived (~8 hours) timeout for refresh tokens for web based logins and long-lived tokens for mobile apps? They are using OpenID Connect and due to internal policy will not extend the token lifetimes for browser based logins, and believe that there is only one setting for all tokens.

note, I am not the one doing the ADFS work so I won't be able to add too much more detail as I don't understand it and have no access to it, I just want to be able to go back to the external agency and tell point them in the right direction

1
openid-connectadfs

1 Answers

1
votes

AD-FS define refresh token life time to be equal to SSO lifetime. This is highlighted in Single sign on behavior documentation,

If the refresh token is within , the request will result in a new access token.

And further highlighted in SSO setting document

In the OAuth scenario, a refresh token is used to maintain the SSO state of the user within the scope of a particular application.

Unlike other identity providers, it seems AD-FS does not provide a way to define refresh token lifetimes specifically to an application.

But it define two set of devices. Registered devices and unregistered devices. If you consider that and consider mobile devices to be unregistered devices, then you have the ability to control SSO behaviour. You can fully disable SSO behaviour (no refresh token). Or you can enable it through EnableKmsi feature (refer from here to EnableKmsi for configurations) and enable refresh token valid for 24 hours.