Closed wedevops1 closed 5 months ago
@wedevops1 Thanks for your feedback! We have assigned the issue to author and will provide further updates.
Hello @wedevops1,
Thank you for your feedback.
Azure AD B2C and Microsoft identity platform are different products that function differently. For instance, Azure AD B2C employs user flow, while the Microsoft identity platform does not. Since the document in question belongs to the Microsoft identity platform, the problem should not be attributed to this document.
The issue should be attributed to Configure session behavior in Azure Active Directory B2C
That said, Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours while mobile apps, desktop apps, and web apps do not experience this limitation.
I will contact our feature product manager, inquire about the issue, and then respond back.
Is there any update on this issue? I have a similar question and desire to have our SPA app session be long-lived. Is there a recommended / documented way to achieve this?
Hello @wedevops1,
In Azure AD B2C, the Sign up and sign in user flow controls the session behavior. When you create a Sign up and sign in user flow, you can edit it by, Select User flows > Your Signupsignin userflow > Properties > Session behavior.
In the Session behavior section, there's a field called Web app session lifetime (minutes) where you can use to control user session in different type of application that are using that user flow.
For now, I'll go ahead and close this issue since it was created in Microsoft Identity Platform docs instead of Azure AD B2C docs, where the issue should be addressed. The write doc to address this issue should be Configure session behavior in Azure Active Directory B2C
Cc: @jonnaglieri
Hello,
It's unclear in the documentation what are the necessary steps to have SPAs/Browser Client Applications using B2C to have user sessions lasting less/more than 24h.
It's stated in the following links
That
offline_access
in the authentication request in order to obtain the desired behavior. And to force this behavior, one is required to remove this from API permissions. (The scope is still there as stated here and also by me)refresh_token_lifetime_secs
can't be set to less than 24hHaving tried most combinations, I can't tell what's good or bad. The reality is that the documentation to get browser client applications to use MSAL 2.x and to have shorter sessions is a bit scarce and scattered.
Also I don't see these peculiarities quite highlighted here
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.