Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure Oauth - how to change token expiration time?

We are using Oauth2 with Azure. And by default server returns token with an hour interval for expiration. Is there any way change expiration interval?

like image 997
andrey Avatar asked Jul 01 '15 13:07

andrey


People also ask

How do I change expiration date on Azure token?

As of January 30, 2021 you can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the default configuration.

How long is an azure access token valid for?

The expiry time of token is approx. 30 mins to 1 hr.

How long does Azure refresh token?

The Refresh token has a sliding window that is valid for 14 days and refresh token's validity is for 90 days.


1 Answers

It is now possible to configure the token lifetime. You can read more here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes.

Remark: This feature is in preview and will not go to production in this way. The following header is also placed on the documentation link I mentioned above.

After hearing from customers during the preview, we're planning to replace this functionality with a new feature in Azure Active Directory Conditional Access. Once the new feature is complete, this functionality will eventually be deprecated after a notification period. If you use the Configurable Token Lifetime policy, be prepared to switch to the new Conditional Access feature once it's available.

Original answer:

Currently there is no way to change the expiration interval. These are the current expiration times.

  • Access tokens last 1 hour

  • Refresh tokens last for 14 days, but

    • If you use a refresh token within those 14 days, you will receive a new one with a new validity window shifted forward of another 14 days. You can repeat this trick for up to 90 days of total validity, then you’ll have to reauthenticate
    • Refresh tokens can be invalidated at ANY time, for reasons independent from your app (e.g. user changes password). Hence you should NOT take a dependency on the above in your code – your logic should always assume that the refresh token can fail at any time
    • Refresh tokens issues for guest MSA accounts last only 12 hours

Source: http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/ and also my own experiences.

like image 77
Wessel Kranenborg Avatar answered Oct 01 '22 11:10

Wessel Kranenborg