ADB2C refresh_token always expires in one day

Question

I've been struggling with adb2c for a while now. In particular the refresh flow. I'm using the latest version of msal-browser and everthing works fine, refreshing the token works well. The only problem is that the token endpoint returns a refresh_token that will always expire in one day. In this case, a user can only be logged in for a day, after that, the user will always have to re-authorize. Here is an example of the endpoint and what it returns directly after logging in. (note that I have set the access_token expire time on 5 mins for testing purposes)

Endpoint:

https://{b2c_domain.onmicrosoft.com/{b2c_policy}/oauth2/v2.0/token

Response:

{
    "access_token": "{access_token_hidden}",
    "id_token": "{id_token_hidden}",
    "token_type": "Bearer",
    "not_before": 1610023338,
    "expires_in": 300,
    "expires_on": 1610023638,
    "resource": "{resource_hidden}",
    "client_info": "{client_info}",
    "scope": "https://{adb2c_domain_hidden}.onmicrosoft.com/api/user_impersonation",
    "refresh_token": "{refresh_token_hidden}",
    "refresh_token_expires_in": 86400
}

When, at some point, the application will try to refresh a token, it will call the token endpoint again. This is what a second response looks like:

{
    "access_token": "{access_token_hidden}",
    "id_token": "{id_token_hidden}",
    "token_type": "Bearer",
    "not_before": 1610023891,
    "expires_in": 300,
    "expires_on": 1610024191,
    "resource": "{resource_hidden}",
    "client_info": "{client_info}",
    "scope": "https://{adb2c_domain_hidden}.onmicrosoft.com/api/user_impersonation",
    "refresh_token": "{refresh_token_hidden}",
    "refresh_token_expires_in": 85846
}

The refresh_token_expires_in is not rolling. But that is understandable, the user should not always stay logged in. But, in my adb2c policy the following settings are active:

I would assume, as I have configured in the settings, the refresh token should at least be active for 14 days. If not, even up to 90 days? I can play with the settings, but it will always give me a refresh_token that lasts for 1 day. Does anyone has any experience with this or has a possible solution? Thanks!

Answer 1

If you are using the Msal-Browser which implements the code grant with PKCE in SPA application. For this case, you will get the refresh token which will have a expiry of 24 hours and that is not rolling. After 24 hours you need to go to /authorization endpoint of azure ad to get the new access and refresh token. This can also be also non-interactive flow if the browser has the valid login session.

In the Msal-browser library, If you have configured the session more than 24 hours then you can perform the Silent login with ssoSilent(), it require you to send the login_hint.