2024-01-31T15:59:56.2933333+00:00
We have a request to find out what is the SSO token expiration for our integrated apps. We don't use conditional access policies so the setting must be the default of our tenant. Per example, if we have a user use SSO to authorize to an app (Zoom let's say) and he works throughout the day and signs off at the end of his shift, when can he expect to sign on again? I work my self and I notice I don't have to sign on until there's a change in my password, or I'm out for a long weekend or something. Is there a place where someone can point me and find what the threshold is for when someone has to sign on again to application such as zoom or slack
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
FAQs
By default, the lifetime of tokens issued by the Microsoft identity platform (such as access tokens, SAML tokens, or ID tokens) is 60 minutes1. The minimum token lifetime is 5 minutes, and the maximum is 1,440 minutes (24 hours)1.
What is the best practice for refresh token expiration? ›
Best practice
Set the expiration time for refresh tokens in such a way that it is valid for a little longer period than the access tokens. For example, if you set 30 minutes for access token then set (at least) 24 hours for the refresh token.
How to change Azure token expiration time? ›
You can configure token lifetimes in the Azure portal. Go to the Azure portal. In "Azure Active Directory" > "Security" > "Authentication methods" > "Authentication methods blade" > "Token Lifetime Policies". you can configure the lifetime of access tokens, refresh tokens, and ID tokens.
How to check refresh token expiry? ›
Unfortunately, there is no option to find the expiration time for the refresh token, because it is depending on authorization server and the type of client application, and it is not communicated to the client. In the Microsoft identity platform, the default lifetime for refresh tokens is 90 days.
What is the default expiration time for refresh tokens? ›
Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use.
What happens when a refresh token expires? ›
The member must reauthorize your application when refresh tokens expire. When you use a refresh token to generate a new access token, the lifespan or Time To Live (TTL) of the refresh token remains the same as specified in the initial OAuth flow (365 days), and the new access token has a new TTL of 60 days.
How does token expiration work? ›
When a token has expired or has been revoked, it can no longer be used to authenticate Git and API requests. It is not possible to restore an expired or revoked token, you or the application will need to create a new token.
How to increase access token expiration time? ›
Update Access Token Lifetime
- Go to Dashboard > Applications > APIs and select the name of the API to view.
- Locate the Token Expiration field under Token Settings.
- Enter the desired lifetime (in seconds) for access tokens issued for this API. Default value is 86,400 seconds (24 hours). ...
- Select Save Changes.
This usually happens when a user session lasts longer than the token's lifespan. To resolve this issue, you can either refresh the token manually or set up an automatic token refresh in your application. Another solution is to increase the token's lifespan, but this could potentially compromise security.
Does Microsoft Refresh token expire? ›
The lifetime of a refresh token is set to 90 days by default and cannot be reduced or lengthened. However, you can configure the sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again.
The client secret expiration date can only be set to maximum of 24 months. We cannot set a client secret that will never expire due to security reason. Unfortunately, Azure currently does not natively provide a way to notify expired client secret. An expired secret can cause a lot of damage on the business process.
How do you calculate token expiration time? ›
To verify that your expiration time is correct, you can look at the exp and iat claim of your access token. Then you can perform the following calculation: Token expiration (in seconds) = exp (Expiration time in seconds) - iat (Issued at in seconds)
How do I update my refresh token? ›
To refresh your access token and an ID token, you send a token request with a grant_type of refresh_token . Be sure to include the openid scope when you want to refresh the ID token. If the refresh token is valid, then you get back a new access token, a new ID token, and the refresh token.
What is the difference between access token and refresh token? ›
Refresh tokens extend the lifespan of an access token. Typically, they're issued alongside access tokens, allowing additional access tokens to be granted when the live access token expires. They're usually stored securely on the authorization server itself.
What is the best practice for refresh token expiration time? ›
Thought and suggestions
- Security best practices suggest keeping the expiry period of access_token and refresh_token the same and rotating refresh tokens along with access_tokens. ...
- For APIs which are not very security sensitive, it may be OK to have refresh_tokens with larger expiration time like 12 hours or 24 hours.
token_lifetime_secs - Access token lifetimes (seconds). The default is 3,600 (1 hour). The minimum is 300 (5 minutes). The maximum is 86,400 (24 hours).
How long does Microsoft token last? ›
When issued, an access token's default lifetime is assigned a random value ranging between 60-90 minutes (75 minutes on average). The default lifetime also varies depending on the client application requesting the token or if Conditional Access is enabled in the tenant.
How to validate a refresh token? ›
A refresh token is opaque; you cannot validate it yourself. The general pattern for validating a refresh token is to use it to refresh the JWT, and if the refresh attempt fails, that indicates the refresh token is no longer valid.
How often should I use a refresh token? ›
These tokens are generally short-lived, i.e., valid only for a short amount of time (say 5-15 minutes). This is plenty for you to perform a particular task requiring validation but makes it harder for individuals with malicious intent to get their hands on confidential resources.
Do we really need refresh token? ›
The main purpose of using a refresh token is to considerably shorten the life of an access token. The refresh token can then later be used to authenticate the user as and when required by the application without running into problems such as cookies being blocked, etc.
JWTs are self-contained, by-value tokens and it is very hard to revoke them, once issued and delivered to the recipient. Because of that, you should use as short an expiration time for your tokens as possible — minutes or hours at maximum. You should avoid giving your tokens expiration times in days or months.
What is the max inactive time for refresh token? ›
Refresh Token max inactive time is 90 days, if the user session continues it would renew without impacting the session but not when session controls are applied.
What is refresh token rotation strategy? ›
Refresh token rotation is the practice of updating an access_token on behalf of the user, without requiring interaction (eg.: re-sign in). access_token s are usually issued for a limited time. After they expire, the service verifying them will ignore the value.
What is a good access token lifetime? ›
By default, an access token for a custom API is valid for 86400 seconds (24 hours). We recommend that you set the validity period of your token based on the security requirements of your API. For example, an access token that accesses a banking API should expire more quickly than one that accesses a to-do API.
