I am using Azure B2C for authentication in my .NET Core web api project. I am trying to renew refresh token using step outlined in documentation - https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#4-refresh-the-token.
The request parameters (using RestSharp) I am sending are below:
var request = new RestRequest();
request.Method = Method.Post;
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "refresh_token", ParameterType.GetOrPost);
request.AddParameter("client_id", CLIENT_ID_HERE, ParameterType.GetOrPost);
request.AddParameter("scope", "CLIENT_ID_HERE offline_access", ParameterType.GetOrPost);
request.AddParameter("refresh_token", OLD_REFRESH_TOKEN, ParameterType.GetOrPost);
I am getting success response, as shown below:
{
"access_token":"eyJhbGciOiJSUzI1NiIsImtp......",
"id_token":"eyJhbGciOiJS......",
"token_type":"Bearer",
"not_before":1720104657,
"expires_in":3600,
"expires_on":1720108257,
"resource":"guid-here",
"id_token_expires_in":3600,
"profile_info":"eyJ2ZXIiO.........",
"scope":"B2C_Client_Id offline_access openid",
"refresh_token":"eyJraWQiOiJjcGltY29yZ...........",
"refresh_token_expires_in":76887
}
Few response parameters - refresh_token_expires_in
, expires_on
, etc are not mentioned in the documentation.
Now, with respect to json response, I have few confusions/doubts:
refresh_token_expires_in
is in seconds not in unix timestamps. Is that even correct?expires_on
is a unix timesteamp and translates to 54 days. What could be expiring here?What I could conclude here is, the expiry of 14 days or 90 days for expiry token will not be present in the json response of refresh_token_expires_in
; instead it resides in B2C settings only.
Any thoughts?
As mentioned in this MS Document,
Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours.
Initially, I generated the tokens using authorization code flow with PKCE via Postman and got refresh_token_expires_in
as 86400 seconds (24 hours).
When I used above refresh token to acquire new access token after 30 min, I got tokens with refresh_token_expires_in
value reduced by 30 min (1800 seconds):
POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&client_id=appId
&scope=appId offline_access openid
&refresh_token=refresh_token_value
&redirect_uri=https://jwt.ms
The value in
expires_on
is a unix timesteamp and translates to 54 days. What could be expiring here?
The value in expires_on
refers to expiry date time of access token. You can confirm that by decoding that access token jwt.ms website, checking exp
claim where values will be same:
You can also click on Claims
tab that shows exact expiry date time of access token as below: