I have a question regarding SSO Token Expiration - Microsoft Q&A (2024)

FAQs

I have a question regarding SSO Token Expiration - Microsoft Q&A? ›

By default, the lifetime of tokens issued by the Microsoft identity platform (such as access tokens, SAML tokens, or ID tokens) is 60 minutes1. The minimum token lifetime is 5 minutes, and the maximum is 1,440 minutes (24 hours)1.

Best practice

Set the expiration time for refresh tokens in such a way that it is valid for a little longer period than the access tokens. For example, if you set 30 minutes for access token then set (at least) 24 hours for the refresh token.

You can configure token lifetimes in the Azure portal. Go to the Azure portal. In "Azure Active Directory" > "Security" > "Authentication methods" > "Authentication methods blade" > "Token Lifetime Policies". you can configure the lifetime of access tokens, refresh tokens, and ID tokens.

Unfortunately, there is no option to find the expiration time for the refresh token, because it is depending on authorization server and the type of client application, and it is not communicated to the client. In the Microsoft identity platform, the default lifetime for refresh tokens is 90 days.

Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use.

The member must reauthorize your application when refresh tokens expire. When you use a refresh token to generate a new access token, the lifespan or Time To Live (TTL) of the refresh token remains the same as specified in the initial OAuth flow (365 days), and the new access token has a new TTL of 60 days.

When a token has expired or has been revoked, it can no longer be used to authenticate Git and API requests. It is not possible to restore an expired or revoked token, you or the application will need to create a new token.

This usually happens when a user session lasts longer than the token's lifespan. To resolve this issue, you can either refresh the token manually or set up an automatic token refresh in your application. Another solution is to increase the token's lifespan, but this could potentially compromise security.

The lifetime of a refresh token is set to 90 days by default and cannot be reduced or lengthened. However, you can configure the sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again.

What is the secret expiration in Azure? ›

The client secret expiration date can only be set to maximum of 24 months. We cannot set a client secret that will never expire due to security reason. Unfortunately, Azure currently does not natively provide a way to notify expired client secret. An expired secret can cause a lot of damage on the business process.

To verify that your expiration time is correct, you can look at the exp and iat claim of your access token. Then you can perform the following calculation: Token expiration (in seconds) = exp (Expiration time in seconds) - iat (Issued at in seconds)

To refresh your access token and an ID token, you send a token request with a grant_type of refresh_token . Be sure to include the openid scope when you want to refresh the ID token. If the refresh token is valid, then you get back a new access token, a new ID token, and the refresh token.

Refresh tokens extend the lifespan of an access token. Typically, they're issued alongside access tokens, allowing additional access tokens to be granted when the live access token expires. They're usually stored securely on the authorization server itself.

token_lifetime_secs - Access token lifetimes (seconds). The default is 3,600 (1 hour). The minimum is 300 (5 minutes). The maximum is 86,400 (24 hours).

When issued, an access token's default lifetime is assigned a random value ranging between 60-90 minutes (75 minutes on average). The default lifetime also varies depending on the client application requesting the token or if Conditional Access is enabled in the tenant.

A refresh token is opaque; you cannot validate it yourself. The general pattern for validating a refresh token is to use it to refresh the JWT, and if the refresh attempt fails, that indicates the refresh token is no longer valid.

These tokens are generally short-lived, i.e., valid only for a short amount of time (say 5-15 minutes). This is plenty for you to perform a particular task requiring validation but makes it harder for individuals with malicious intent to get their hands on confidential resources.

The main purpose of using a refresh token is to considerably shorten the life of an access token. The refresh token can then later be used to authenticate the user as and when required by the application without running into problems such as cookies being blocked, etc.

What is the best practice for JWT expiry time? ›

JWTs are self-contained, by-value tokens and it is very hard to revoke them, once issued and delivered to the recipient. Because of that, you should use as short an expiration time for your tokens as possible — minutes or hours at maximum. You should avoid giving your tokens expiration times in days or months.

Refresh Token max inactive time is 90 days, if the user session continues it would renew without impacting the session but not when session controls are applied.

Refresh token rotation is the practice of updating an access_token on behalf of the user, without requiring interaction (eg.: re-sign in). access_token s are usually issued for a limited time. After they expire, the service verifying them will ignore the value.

By default, an access token for a custom API is valid for 86400 seconds (24 hours). We recommend that you set the validity period of your token based on the security requirements of your API. For example, an access token that accesses a banking API should expire more quickly than one that accesses a to-do API.