azure-active-directoryjwtazure-ad-b2cclientcredential

How to configure access_token's lifetime in client_credentials flow? Azure AD B2C


we need to change the default lifetime of ours access_tokens. The default time is 1 hour and we need to change to 15 minutes by a Security Area request.

We have an Azure AD B2C tenant, where we created App Registrations for our Daemon Apps and Web Applications.

Web Application uses authorization_code with custom policies, here we can change the token's lifetime with custom policies configurations.

But, Daemon Apps uses client_credentials with "standard request":

curl --location 'https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id={CLIENT_ID}' \
--data-urlencode 'client_secret={CLIENT_SECRET}' \
--data-urlencode 'scope=https://{TENANT}.onmicrosoft.com/{CLIENT_ID}/.default'

We didn't try anything yet, we didn't find the correct documentation in azure portal.

So the question is: how we can configure the access_token's lifetime in that scenario?

PD: Sorry for my English.


Solution

  • I tried to reproduce the same in my environment and got below results:

    I have one application in my Azure AD B2C tenant like below:

    enter image description here

    When I generated access token using client credentials flow via Postman for above application, it has token lifetime as 1 hr like this:

    POST https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token'
    grant_type: client_credentials
    client_id: {CLIENT_ID}
    client_secret: {CLIENT_SECRET}
    scope: https://sristackb2ctenant.onmicrosoft.com/{CLIENT_ID}/.default
    

    Response:

    enter image description here

    To change token lifetime to 15 minutes, you can make use of below PowerShell script by creating one TokenLifetimePolicy like this:

    Connect-AzureAD -TenantId <B2CtenantId>
    
    $sp = Get-AzureADServicePrincipal -Filter  "DisplayName eq 'B2CApp'"
    
    $policy = New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:15:00"}}') -DisplayName "Valid15min" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
    
    Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
    
    Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId
    

    Response:

    enter image description here

    When I generated the access token again now, I got it with token lifetime as 15 minutes like this:

    POST https://login.microsoftonline.com/{TENANT}/oauth2/v2.0/token'
    grant_type: client_credentials
    client_id: {CLIENT_ID}
    client_secret: {CLIENT_SECRET}
    scope: https://sristackb2ctenant.onmicrosoft.com/{CLIENT_ID}/.default
    

    Response:

    enter image description here