Forum Discussion
24h refresh token lifetime for single page applications
Hi,
I have a question about the 24 refresh token expiry for Teams apps that are SPAs. It seems like this restriction means that after 24 hours, the silent/background token fetch fails and my app needs to prompt the user for interactive authentication again. Prompting for authentication every 24 hours is obviously a very negative experience for most users.
The https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens read:
Apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users don't have to enter their credentials and usually don't even see any related user experience, just a reload of your application.
In my application, we try to silently request an access token every time the tab loads, and if it fails with UiRequiredError, we show a login button which the user must click to re-authenticate interactively (concerns around pop-up blockers prevent us simply calling teamsFx.login() automatically on tab load). I have not experienced "just a reload of our application" solving the issue.
Have others found solutions to this issue? Does it mean moving away from SPA and finding a way to do a web/server based auth flow?
Thanks!
2 Replies
Sayali-MSFTMicrosoft
keithfable - The maximum time period before which a refresh token can be used to acquire a new access token, if your application had been granted the offline_access scope. The default is 14 days. The minimum (inclusive) is one day. The maximum (inclusive) 90 days.
Please make sure Configuration done as mentioned in below document-
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow#configure-token-lifetime- Sayali-MSFTkeithfable - Thanks for reporting your issue.
We will investigation this issue and get back to you.