azureauthenticationoauth-2.0azure-active-directoryaccess-token

Specify expiration time when requesting access token in microsoft login oauth2 v2.0


I am generating a JWT token by making a post to this URL to log in to Microsoft: https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/token I am doing some integration tests and I want to test the authentication of my API, for this I need to generate a token that lasts very little time, something like 5 minutes or less, and the defaults last 1 hour. I have not found information about this in the documentation.

I hope to be able to set an exact expiration time.


Solution

  • The minimum duration of Access Token Lifetime is 10minutes.

    To configure accessTokenLifetimePolicy , you should have atleast Microsoft Entra ID P1 license.

    Initially, I registered Microsoft Entra ID application, gave necessary API permission and granted admin consent like below:

    enter image description here

    Now, generated access token using client credential flow using below code snippet:

    GET https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token 
    client_id=<app_id>
    client_secret = <client_secret>
    grant_type = client_credentials
    scope= https://graph.microsoft.com/.default
    
    

    enter image description here

    After generating access token, I tried to configure AccesstokenLifeTimePolicy for 5 minutes using below code snippet but get error like below:

    Authorization : Bearer token
    Body : raw
    
    POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies
    
    {
    
    "definition": [
    
    "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"00:05:00\"}}"
    
    ],
    
    "displayName": "New token lifetime policy for application",
    
    "isOrganizationDefault": false
    
    }
    

    enter image description here

    Using same access token, I successfully configured AccesstokenLifeTimePolicy for 10 minutes using below code snippet :

    Authorization : Bearer token
    Body : raw
    
    POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies
    
    {
    
    "definition": [
    
    "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"00:10:00\"}}"
    
    ],
    
    "displayName": "New token lifetime policy",
    
    "isOrganizationDefault": false
    
    }
    

    enter image description here

    Now, assigning tokenLifetimePolicies to application using below parameters:

    Authorization : Bearer Token
    Body: raw
    
    POST https://graph.microsoft.com/v1.0/servicePrincipals/<ServicePrincipalID/tokenLifetimePolicies/$ref
    
    {
    
    "@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/<policy-id>"
    
    }
    
    
    

    enter image description here

    So, when I generated the access token with resource API scope of assigned application, it will give the access token having 10 minutes lifetime successfully as below:

    enter image description here

    enter image description here

    Reference:

    Minimum duration token lifetimes

    Assigning token lifetime policy to app registration Microsoft Graph. - Microsoft Q&A by Fabio Andrade

    Set lifetimes for tokens - Microsoft identity platform | Microsoft Learn