token never times out?

[tgice]

Hi, I'm doing some testing on this library using the sample code on the front page (under Authorization Code Flow).

I made a few setup changes and added a little debug code. I store the token in $_SESSION and am trying to test to verify that I see the code properly refreshing the token when it's expired. So far, I've not seen this happen, even if many hours go by. The $token->hasExpired() check is always false.

The only way I get routed back out to the Microsoft auth page is if I explicitly "log out" of my own local session (basically by clearing the token from $_SESSION).

I assume this behavior is not what's supposed to be happening. Am I right in remembering that I read somewhere that the default token expiration is one hour after the initial authentication? If so, after one hour, I'd assume that $token->hasExpired() would be true and then I'd follow the branch that attempts to get a refresh token ($provider->getAccessToken...).

Can anyone give me some pointers on what's going on here and how I can troubleshoot this further? E.g. did I miss some API call I can make on the token to see when it is supposed to expire? The only thing I've seen so far is the 'exp' property in the token idTokenClaims array. But that value keeps showing the original timestamp of when I started the session, even from hours (or days!) before.

[hajekj]

Please check this against the actual access token. The ID token is not used for expiration checks, since the underlying library doesn't work with ID tokens: https://github.com/thephpleague/oauth2-client/blob/master/src/Token/AccessToken.php. It only takes the value passed by the authorization server from expires_in and that's how the expiration is determined. Can you please check what that value is in your case? Or eventually calling $token->getExpires() to see the real value.

[tgice]

Thanks for the reply. I had not been using getExpires(), so that helps a bit. I output that now in my debug code. Here's what happened on my latest test:

1) I loaded my test auth PHP page (when logged out of Azure AD), which properly redirected me to the MS page to sign in, and once I'd done that redirected me back to this same page (as I've chose to set it). 2) After a reload of that page by me to get to a different code path within it, I see the debug output showing the expire time which was set to approximately 1 hour from when I'd just signed in. 3) I then signed out of Microsoft (separately from my test module, by going to outlook.microsoft.com and doing a sign out there) 4) After waiting the hour, I again loaded my auth module. After that load, I see the expire time has refreshed and is about one hour out! This is while I have no signed in session to MS.

Considering all of the above, and especially point 4 -- I would assume you'd agree that this doesn't sound right and that I must be doing something wrong, right?

My big surprise here is that it appears that Azure AD issues a refresh token even when the browser is signed out of Azure AD. If that's working as expected, I question the value of the refresh token.

I did a little more review at Microsoft and found this article:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/users-revoke-access#session-tokens-cookies

which explains how web applications typically use Azure AD. I realize that even with the behavior I'm currently seeing, I could just use Azure AD as a single initial point of authentication and then hand off to my application's session management, never dealing with Azure AD again until my native session expires or is explicitly logged out.

However, I might prefer to get that ongoing (usually silent) reevaluation happening if I can do it simply and in a way that adds little latency to my application.