Azure Oauth - how to change token expiration time?
Solution 1
It is now possible to configure the token lifetime. You can read more here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes.
Remark: This feature is in preview and will not go to production in this way. The following header is also placed on the documentation link I mentioned above.
After hearing from customers during the preview, we're planning to replace this functionality with a new feature in Azure Active Directory Conditional Access. Once the new feature is complete, this functionality will eventually be deprecated after a notification period. If you use the Configurable Token Lifetime policy, be prepared to switch to the new Conditional Access feature once it's available.
Original answer:
Currently there is no way to change the expiration interval. These are the current expiration times.
Access tokens last 1 hour
-
Refresh tokens last for 14 days, but
- If you use a refresh token within those 14 days, you will receive a new one with a new validity window shifted forward of another 14 days. You can repeat this trick for up to 90 days of total validity, then you’ll have to reauthenticate
- Refresh tokens can be invalidated at ANY time, for reasons independent from your app (e.g. user changes password). Hence you should NOT take a dependency on the above in your code – your logic should always assume that the refresh token can fail at any time
- Refresh tokens issues for guest MSA accounts last only 12 hours
Source: http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/ and also my own experiences.
Solution 2
You have to use power shell to perform 2 steps as below:
Create new policy. This policy sets timeout 2 hours
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"02:00:00"}}') -DisplayName "MyWebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
-
Apply this policy to your website
Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>
Note:
In order to get ObjectId of the ServicePrincipal, run this command: Get-AzureADServicePrincipal
To get ObjectId of the Policy, run this command: Get-AzureADPolicy
For more detail you can refer to this document: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes
andrey
Updated on June 21, 2022Comments
-
andrey almost 2 years
We are using Oauth2 with Azure. And by default server returns token with an hour interval for expiration. Is there any way change expiration interval?
-
RameshPasa about 7 yearsIs the expiration interval for Access Token and Refresh Token is configurable now?
-
txulu about 5 yearsYes, things appear to be configurable now: docs.microsoft.com/en-us/azure/active-directory/develop/…
-
txulu about 5 yearsOfficial source: docs.microsoft.com/en-us/azure/active-directory/develop/…
-
vir us almost 4 yearscan anyone tell me where should I click in the azure dashboard to get to those settings?? Can't see any references
-
Sarahrb almost 2 years@amzdmt Is it possible to change expiration time through Azure portal instead of PowerShell. Thank you.