How to configure access_token's lifetime in client_credentials flow? Azure AD B2C
we need to change the default lifetime of ours access_tokens. The default time is 1 hour and we need to change to 15 minutes by a Security Area request.
We have an Azure AD B2C tenant, where we created App Registrations for our Daemon Apps and Web Applications.
Web Application uses authorization_code with custom policies, here we can change the token's lifetime with custom policies configurations.
But, Daemon Apps uses client_credentials with "standard request":
curl --location 'https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={CLIENT_ID}' \
--data-urlencode 'client_secret={CLIENT_SECRET}' \
--data-urlencode 'scope=https://{TENANT}.onmicrosoft.com/{CLIENT_ID}/.default'
We didn't try anything yet, we didn't find the correct documentation in azure portal.
So the question is: how we can configure the access_token's lifetime in that scenario?
PD: Sorry for my English.
I tried to reproduce the same in my environment and got below results:
I have one application in my Azure AD B2C tenant like below:
When I generated access token using client credentials flow via Postman for above application, it has token lifetime as 1 hr like this:
POST https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token'
grant_type: client_credentials
client_id: {CLIENT_ID}
client_secret: {CLIENT_SECRET}
scope: https://sristackb2ctenant.onmicrosoft.com/{CLIENT_ID}/.default
Response:
To change token lifetime to 15 minutes, you can make use of below PowerShell script by creating one TokenLifetimePolicy like this:
Connect-AzureAD -TenantId <B2CtenantId>
$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'B2CApp'"
$policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:15:00"}}') -DisplayName "Valid15min" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId
Response:
When I generated the access token again now, I got it with token lifetime as 15 minutes like this:
POST https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token'
grant_type: client_credentials
client_id: {CLIENT_ID}
client_secret: {CLIENT_SECRET}
scope: https://sristackb2ctenant.onmicrosoft.com/{CLIENT_ID}/.default
Response:
- Issue with Group email address domain when create a new Microsoft 365 Group
- IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
- Get Azure Active Directory password expiry date in PowerShell
- Azure Logic App HTTP Request Authentication Scope
- Get all user properties from Microsoft graph
- Get User by email address using Microsoft Graph API
- How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
- Azure Permission - needed for creating resource group - RBAC
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- Updating App Registration's Configured permission without overwritten existing values
- Azure trusted signing Identity validation process stuck due to inability to upload required documents
- How to debug Bearer error="invalid_token"
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- Access and Modify SharePoint Online list using PnP.Powershell and AccessTokens / Registered App
- How to find the delay when I reset a password using Microsoft's Graph API?
- Outlook calendar don't render with FullCalendar
- Azure Remove User Consent to API
- .NET Core Multi Tenancy authentication
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- AADSTS700016: Application with identifier 'XXX' was not found in the directory 'directory_name'
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- Azure AD:Authenticate Devices