Closed vacuvi closed 2 years ago
@vacuvi Thank you for your feedback . We will investigate and update the thread.
@vacuvi Refresh tokens are long-lived tokens. The Oauth RFC doesn't specify any default value to be used for the refresh tokens. Every IDP can have its own implementation of the default lifetime but you can set/change the lifetime as per your requriement.
Refresh Token Max Inactive Time - 90 days
As per the document https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#refresh-and-session-token-lifetime-policy-properties:
"As of January 30, 2021 customers can not configure refresh and session token lifetimes. Azure Active Directory no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the default configuration."
The default lifetime for refresh tokens is 90 days. I am aware that we can use CA policies https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime to configure User sign-in frequency, however, is there any explanation/justification/logic behind why 90 days was selected as the lifetime value?
Thanks.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.