azureauthenticationoauth-2.0azure-active-directoryaccess-token

Specify expiration time when requesting access token in microsoft login oauth2 v2.0

I am generating a JWT token by making a post to this URL to log in to Microsoft: https://login.microsoftonline.com/{{TENANT_ID}}/oauth2/v2.0/token I am doing some integration tests and I want to test the authentication of my API, for this I need to generate a token that lasts very little time, something like 5 minutes or less, and the defaults last 1 hour. I have not found information about this in the documentation.

I hope to be able to set an exact expiration time.

Solution

  • The minimum duration of Access Token Lifetime is 10minutes.

    To configure accessTokenLifetimePolicy , you should have atleast Microsoft Entra ID P1 license.

    Initially, I registered Microsoft Entra ID application, gave necessary API permission and granted admin consent like below:

    enter image description here

    Now, generated access token using client credential flow using below code snippet:

    GET https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token 
client_id=<app_id>
client_secret = <client_secret>
grant_type = client_credentials
scope= https://graph.microsoft.com/.default

    enter image description here

    After generating access token, I tried to configure AccesstokenLifeTimePolicy for 5 minutes using below code snippet but get error like below:

    Authorization : Bearer token
Body : raw

POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies

{

"definition": [

"{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"00:05:00\"}}"

],

"displayName": "New token lifetime policy for application",

"isOrganizationDefault": false

}

    enter image description here

    Using same access token, I successfully configured AccesstokenLifeTimePolicy for 10 minutes using below code snippet :

    Authorization : Bearer token
Body : raw

POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies

{

"definition": [

"{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"00:10:00\"}}"

],

"displayName": "New token lifetime policy",

"isOrganizationDefault": false

}

    enter image description here

    Now, assigning tokenLifetimePolicies to application using below parameters:

    Authorization : Bearer Token
Body: raw

POST https://graph.microsoft.com/v1.0/servicePrincipals/<ServicePrincipalID/tokenLifetimePolicies/$ref

{

"@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/<policy-id>"

}

    enter image description here

    So, when I generated the access token with resource API scope of assigned application, it will give the access token having 10 minutes lifetime successfully as below:

    enter image description here

    enter image description here

    Reference:

    Minimum duration token lifetimes

    Assigning token lifetime policy to app registration Microsoft Graph. - Microsoft Q&A by Fabio Andrade

    Set lifetimes for tokens - Microsoft identity platform | Microsoft Learn