I am not able to redeem new tokens(access and refresh) using refresh token received against different policy token end point.
Received refresh token A from
https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1a_signup.
Redeem token A against same endpoint(policy b2c_1a_signup) is working.
But If i redeem against different policy endpoint https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1a_signin. is not working. (Policy b2c_1a_signin).
Our app is using totally 4 policies and it will get access and refresh token from all policies.
It is difficult store and map the refresh token against the policy.
Please help me find a way to redeem always against one token end point irrespective of token end point used to get token initially.
It isn't allowed to exchange a refresh token, which was issued for one policy, for an access token, which is to be issued for another policy.
You will have to save the policy identifier with the refresh token so that you can exchange this refresh token with that policy identifier.
Related
I have a single-sign-on scenario with Microsoft Teams. See full description in the documentation: https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso
I am getting an access token by "trading" the "teams" token for an access token.
My question is, how do I refresh this access token? In single-sign-on scenario the "refrehs_token" is not returned (?), so normal OAuth2 refresh flow does not seem to be possible.
Imagine I traded it once, and got the access token that expires in say 2 hours. I use it to access graph API (or whatever), and then the token expires.
What should I do to get a new access token? Can I just ask Teams for a fresh "teams" token and trade it again in case the old one expired? Teams App takes care of refreshing its own tokens, right? When should I do this (when I get "access denied", or just if I see that the token has expired?
Looks like I found the reason - you must pass offline_access as scope request then you get back the refresh_token. That was my issue actually, and it is documented, I just did not read carefully:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
refresh_token The refresh token for the requested access token. The calling service can use this token to request another access token after the current access token expires. The refresh token is only provided if the offline_access scope was requested.
My team is working on implementing or rather configuring B2C login for our client's mobile app. We got the configuration setup to a point where the user can login to the app once and the token gets cached in MSAL. And next time onwards, the user is able to directly login without entering his/her credentials. We are following the pattern as described here
Our code first tries to retrieve the token using AcquireTokenSilent and if the token is not present in the MSAL cache, then we retrieve it using AcquireTokenInteractive.
I was trying to understand how the ID and Access tokens are refreshed and found on MS docs here about tokens which says
Refresh tokens are used to acquire new ID tokens and access tokens in
an OAuth 2.0 flow. They provide your application with long-term access to resources on behalf of users without requiring interaction with those users...
This also mentioned that when we redeem the refresh token to get new ID and Access tokens, we also get a new refresh token that replaces the previous refresh token.
Now I tried logging out and log back into my mobile app after 1 hour or more and I was still able to login. When I inspected the claims, the ID and Access token expiry was refreshed to next 1 hour of login.
My question here is:
Since ID token and Access tokens have default expiry to 1 hr, then how is it that even though I was logged out for more than an hour, my token refreshed and I was able to login without entering user credentials.
If this is because refresh token automatically refreshes the ID and Access tokens when they approach their expiry, then does this process go on till the refresh token expires itself.
The MS docs also mentioned that when the ID and Access tokens are regenerated after their expiry, we also get a new refresh token. If this is the case then the refresh token would never expire since the new token will always have new expiry.
Is there a way to control the refresh token so that we can control when to refresh the ID and Access tokens.
I am sorry if I missed anything but I am a little confused on how the refresh token works and is there a way to control when to refresh the tokens and when not.
Thanks in advance.
Yes, the refresh token is used to get the new id token and access token, even the id token and access token were expired, as long as the refresh token does not expire, it could use the refresh token to get new id token and access token, meanwhile, a new refresh token will be generated, if you want to configure the token lifetime, you could do that in the portal.
Reference - https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow
I am trying to acquire token by aquiretokensilent after login and then have to do authorization in multiple modules.As documentation of MSAL-browser acquiretokensilent will automatically take care of refresh token.In network tab also i am able to see refresh token.But how to use it, does it automatically replace access token or do i need to do something extra and how i can see that refresh token in the console converting to access token after expiry of access token.I have read lot of documents but not got clearity how to use it.
A refresh token is used for renewing an access token or request access tokens with other scopes.
This official doc indicated that how a refresh token renews/requests a new access token and a new refresh token at the base layer.
And yes, you should call aquiretokensilent before API call, if the access token exists and it is not expired, this function will reply the access token to you from local cache directly, if not, it will request a new access token by refresh token from Azure AD.
For details, see this doc.
We are using IdentityServer4 and have an issue on using refresh token.
Here is my client configs:
Grant Types:
client_credentials
hybrid
Access token lifetime:
60
Identity token lifetime:
900
Absolute refresh token lifetime:
240
Sliding refresh token lifetime:
60
Refresh token usage:
OneTimeOnly
Refresh token expiration:
Absolute
I am checking access token life time and when it is about to be expired I use refresh token to get new access token. After 240 second the access token life time does not extension and my client goes to Identity Server and it issues new set of tokens for my client.
I want my user enter username/password after expiration the refresh token buy Identity Server issue new tokens instead of asking credential.
Any Idea?
If I'm understanding correctly you want to force the user to interactively authenticate from your client? If so the max_age=n or prompt=login authorize endpoint parameters can be used to trigger that flow and then you can validate the auth_time claim within your client to ensure it's recent enough.
Currently this is happening without prompting because the user still has a valid IDP session via the authentication cookie. I'd recommend using the above method over and above setting the IDP session to be aligned with your client application session lifetime.
I am generating the JWT token for a user when he logs in with correct credentials at Server side.Previously,I was storing the token in database and for every request I am getting the token from database which leads to bad practice(If i am not wrong).At client side(In my controller),i can store that token in $rootscope so that i can send that token with each and every request.I am unable to find where should i store my JWT token to access at server side for every request??
Some one,suggested me to use Redis to store JWT token.
If i use Redis,can i set maxAge for my token which deletes the token when user is idle for certain time??
Can any one please provide me the suggestions for my procedure?If it is wrong,Suggest me with a right approach!
Note:I am new to NodeJS/Express and AngularjS
JWT's have an exp claim. Set it to the time to which you want the tokens to be valid and have a check in the route if the token has expired.
If it has, send a 401. Else let the route handle the request.
The simplest way:
Add 'validDate' field to token payload when you issue new token for logged user, then check this field when processing the request. If date is expired just return 401 error