User Session < 24h with B2C and SPA

[wedevops1]

Hello,

It's unclear in the documentation what are the necessary steps to have SPAs/Browser Client Applications using B2C to have user sessions lasting less/more than 24h.

It's stated in the following links

• Azure doc
• Azure doc
• Msft forum discussion
• Msft forum discussion
• Github issue
• Stackoverflow discussion
• Stackoverflow dicussion

That

1. if one wants to control the user session via B2C to be more or less than 24h, it's required to use implicit grant flow.
2. In order to use the implicit grant flow, one has to downgrade to MSAL 1.x, because MSAL 2.x only supports authorization code flow.
3. If one wants to have this behavior, SPA's cannot be used. (What should be used instead for a frontend js app?)
4. One cannot have the scope offline_access in the authentication request in order to obtain the desired behavior. And to force this behavior, one is required to remove this from API permissions. (The scope is still there as stated here and also by me)
5. refresh_token_lifetime_secs can't be set to less than 24h

Having tried most combinations, I can't tell what's good or bad. The reality is that the documentation to get browser client applications to use MSAL 2.x and to have shorter sessions is a bit scarce and scattered.

Also I don't see these peculiarities quite highlighted here

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 28c13084-08f6-c015-7769-c2ab9170c1d2
• Version Independent ID: 44d5c264-8c95-0ae5-be9c-8982cea33223
• Content: Tutorial: Create an Angular app that uses the Microsoft identity platform for authentication using auth code flow - Microsoft Entra
• Content Source: articles/active-directory/develop/tutorial-v2-angular-auth-code.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @henrymbuguakiarie
• Microsoft Alias: henrymbugua

[YashikaTyagii]

@wedevops1 Thanks for your feedback! We have assigned the issue to author and will provide further updates.

[wedevops1]

Also linked the 2 issues, which indicate that even if one removes the offline_access scope from the App Registration / MSAL sends it and nonetheless a refresh_token is always in the /authorize request.

issue 1 issue 2

[henrymbuguakiarie]

Hello @wedevops1,

Thank you for your feedback.

Azure AD B2C and Microsoft identity platform are different products that function differently. For instance, Azure AD B2C employs user flow, while the Microsoft identity platform does not. Since the document in question belongs to the Microsoft identity platform, the problem should not be attributed to this document.

The issue should be attributed to Configure session behavior in Azure Active Directory B2C

That said, Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation.

I will contact our feature product manager, inquire about the issue, and then respond back.

[jonnaglieri]

Is there any update on this issue? I have a similar question and desire to have our SPA app session be long-lived. Is there a recommended / documented way to achieve this?

[henrymbuguakiarie]

Hello @wedevops1,

In Azure AD B2C, the Sign up and sign in user flow controls the session behavior. When you create a Sign up and sign in user flow, you can edit it by, Select User flows > Your Signupsignin userflow > Properties > Session behavior.

In the Session behavior section, there's a field called Web app session lifetime (minutes) where you can use to control user session in different type of application that are using that user flow.

For now, I'll go ahead and close this issue since it was created in Microsoft Identity Platform docs instead of Azure AD B2C docs, where the issue should be addressed. The write doc to address this issue should be Configure session behavior in Azure Active Directory B2C

Cc: @jonnaglieri

please-close