Forum Discussion
AzureAD RefreshToken Lifetime fixed instead of Expiration sliding window
When requesting an access_token for an app on AzureAD, getting an AccessToken as well as a RefreshToken. The Refresh token has a specific Lifetime (Expiration) configured via Conditional Access Policy of 8 hours. Now in this 8 hours you can try to renew the accessToken which will expire, if default settings are used, in 1 hour. Then also for the new RefreshToken again 8 hours will be valid. And if the refreshToken is used always in this 8 hours the access will be there for forever from my view. I see no limiting factor here, such as fixed Expiration, even though the refresh token is very frequent used for example.
Docs are not really describing this use-case. Happy to get any hint and support on this.
Thanks a lot.
1 Reply
There are some limitations on this:
- Maximum Lifetime: The maximum lifetime for a refresh token is 14 days. After this period, the user will need to re-authenticate to obtain a new refresh token.
- Minimum Lifetime: The minimum lifetime for a refresh token is 24 hours. This means that even if the refresh token is used frequently, it cannot be renewed more often than every 24 hours.
