About changing lifetime of refresh token - Microsoft Q&A (2024)

FAQs

About changing lifetime of refresh token - Microsoft Q&A? ›

Hi, the lifetime of a refresh token cannot be changed. The lifetime of a refresh token is set to 90 days by default and cannot be reduced or lengthened. However, you can configure the sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again.

Token lifetime

Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use.

Sliding: when refreshing the token, the lifetime of the refresh token will be renewed (by the amount specified in SlidingRefreshTokenLifetime). The lifetime will not exceed the absolute lifetime.

Best practice

Set the expiration time for refresh tokens in such a way that it is valid for a little longer period than the access tokens. For example, if you set 30 minutes for access token then set (at least) 24 hours for the refresh token.

When enabled, a refresh token will expire based on an absolute lifetime, after which the token can no longer be used. If rotation is enabled, an expiration lifetime must be set. The Absolute Expiration of the rotating refresh token is defined on creation and is not changed, even with an exchange.

Unfortunately, there is no option to find the expiration time for the refresh token, because it is depending on authorization server and the type of client application, and it is not communicated to the client. In the Microsoft identity platform, the default lifetime for refresh tokens is 90 days.

Refresh tokens are designed to be long-lived but must be revoked at need. Access tokens are designed to be short-lived, because they can't be revoked (in most cases).

This means that every time a refresh token is used to obtain a new access token, a new refresh token is also issued and the old one is invalidated. Limited validity: Although refresh tokens are valid for longer than access tokens, they should still have a maximum lifespan and be renewed or checked regularly.

The member must reauthorize your application when refresh tokens expire. When you use a refresh token to generate a new access token, the lifespan or Time To Live (TTL) of the refresh token remains the same as specified in the initial OAuth flow (365 days), and the new access token has a new TTL of 60 days.

Refresh tokens are required only when a user's session has expired or isn't available. For example, you set a refresh token policy to expire the token after 1 hour. If a user uses the app for 2 hours, the user isn't forced to reauthenticate after 1 hour.

Is refresh token a good practice? ›

Short-lived access tokens, long-lived refresh tokens, and blacklists are a great approach for most services. Whether to use these over a session approach depends on how sensitive your data is and how much damage can be done in a short amount of time.

Refresh token rotation is a security mechanism designed to minimize the risks associated with token theft and unauthorized use. In this process, each time a refresh token is used to acquire a new access token, a brand new refresh token is also generated and the previous one is invalidated.

Refresh and session token lifetime policy properties

Non-persistent session tokens have a Max Inactive Time of 24 hours whereas persistent session tokens have a Max Inactive Time of 90 days.

A typical access token for Graph API might be around 1.5 KB, and a typical refresh token might be around 1 KB. However, these are only rough estimates, and the actual size may vary depending on the app and the user. Hope this helps.

The default number of seconds for the Grace period for token rotation is set to 30 seconds. You can change the value to any number from 0 through 60 seconds. After the refresh token is rotated, the previous token remains valid for this amount of time to allow clients to get the new token.

When a rotated refresh token is used, a new refresh token is issued in addition to the new access token. The client application must use the most recent refresh token in the chain. All previous tokens have already been used and cannot be used again.

By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year. The member must reauthorize your application when refresh tokens expire.

When using the Org Authorization Server, the lifetime of the JSON Web Tokens (JWT) is hard-coded to the following values: ID Token: 60 minutes. Access Token: 60 minutes. Refresh Token: 90 days.

Give tokens an expiration: Technically, once a token is signed, it is valid forever—unless the signing key is changed or expiration explicitly set. This could pose potential issues so have a strategy for expiring and/or revoking tokens.

The refresh token is set with a very long expiration time of 200 days. If the traffic to this API is 10 requests/second, then it can generate as - many as 864,000 tokens in a day.