I'm using a Web App/API azure application for a web application and used authorization grant flow with client_id and client_secret to get the access/refresh tokens (using rest API), everything worked fine, except the refresh token that has expired after 90 days. The expectation is to have a refresh_token that never expires (unless explicitly revoked) as stated in azure documentation.
This is what Microsoft AzureAD documentation says : (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-tokens)
Token lifetimes with confidential client refresh tokens Confidential clients are applications that can securely store a client password (secret). They can prove that requests are coming from the secured client application and not from a malicious actor. For example, a web app is a confidential client because it can store a client secret on the web server. It is not exposed. Because these flows are more secure, the default lifetimes of refresh tokens issued to these flows is until-revoked, cannot be changed by using policy, and will not be revoked on voluntary password resets.
This the definition of confidential clients based on RFC6749: (https://tools.ietf.org/html/rfc6749#section-2.1)
Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.
The error I'm getting now on refresh token request :
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2018-10-19T17:26:59.8511467Z and was inactive for 90.00:00:00.
