How to configure access_token's lifetime in client_credentials flow? Azure AD B2C
we need to change the default lifetime of ours access_tokens. The default time is 1 hour and we need to change to 15 minutes by a Security Area request.
We have an Azure AD B2C tenant, where we created App Registrations for our Daemon Apps and Web Applications.
Web Application uses authorization_code with custom policies, here we can change the token's lifetime with custom policies configurations.
But, Daemon Apps uses client_credentials with "standard request":
curl --location 'https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={CLIENT_ID}' \
--data-urlencode 'client_secret={CLIENT_SECRET}' \
--data-urlencode 'scope=https://{TENANT}.onmicrosoft.com/{CLIENT_ID}/.default'
We didn't try anything yet, we didn't find the correct documentation in azure portal.
So the question is: how we can configure the access_token's lifetime in that scenario?
PD: Sorry for my English.
I tried to reproduce the same in my environment and got below results:
I have one application in my Azure AD B2C tenant like below:
When I generated access token using client credentials flow via Postman for above application, it has token lifetime as 1 hr like this:
POST https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token'
grant_type: client_credentials
client_id: {CLIENT_ID}
client_secret: {CLIENT_SECRET}
scope: https://sristackb2ctenant.onmicrosoft.com/{CLIENT_ID}/.default
Response:
To change token lifetime to 15 minutes, you can make use of below PowerShell script by creating one TokenLifetimePolicy like this:
Connect-AzureAD -TenantId <B2CtenantId>
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'B2CApp'"
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:15:00"}}') -DisplayName "Valid15min" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId
Response:
When I generated the access token again now, I got it with token lifetime as 15 minutes like this:
POST https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token'
grant_type: client_credentials
client_id: {CLIENT_ID}
client_secret: {CLIENT_SECRET}
scope: https://sristackb2ctenant.onmicrosoft.com/{CLIENT_ID}/.default
Response:
- Create Azure Key Vault backed secret scope in Databricks with AAD Token
- C# Graph api SDK V5 - Add User to multiple Groups
- Microsoft Azure doesn't return email via Oauth2 flow
- Sign in to Azure Account from VS Code
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?
- Dotnet-Isolated Azure Functions - how to access HttpContext
- vscode-remote-ssh does not work with SSH using Azure AD authentication
- Implementing SSO for Azure AD B2C
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- Azure AD client credentials generated token does not have claims (EDITED)
- Calling an ASP.NET Core Web API integrated to EntraId app from another .NET Core console app integrated to EntraId app fails
- Correlation failed in net.core / asp.net identity / openid connect
- Generating token for Fabric Rest api using client secret
- Permission based access control using Entra ID with ASP.NET core
- How do I display Job Title in my Next Auth app
- EntraId Authentication / Authorization via .NET & React
- Azure Function app down due to wrong routing template in http trigger binding of a functions
- How can I force trigger MFA, when logging into Azure?
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- azp Claim Missing from Azure AD JWT
- Retrieve all Users from all Groups?
- Cannot get AAD auth token in Logic Apps
- Attempting to set DisableCustomAppAuthentication to false for Azure not working from Powershell
- Using Azure Entra Id I cant see `Office 365 Exchange Online` under `APIs my organization uses`
- New tenant b2clogin URL returns error with "removed or changed"
- Azure Entra ID tokens endpoint issues an expired token
- Azure AD B2C password expiration
- Trouble when creating PowerBI report via JavaScript Client Library
- Azure Active Directory Enterprise App OpenID and User Provisioning (SCIM)