Oct 28 2019
- last edited on
May 24 2021
My web app (SPA with backend) uses refresh tokens to access Microsoft calendars of users when they are offline. Today it turned out the refresh token I use in unit tests expired exactly one year after retrieving it. I searched the docs and learnt that I should ask for new refresh token when I use the current one to obtain access token and that's fine.
However, I also figured out the refresh token is revoked every time user changes password to their Microsoft account. And this is the real problem for me because:
1) I need to access user's calendar when they are offline so when attempt to use refresh token returns "invalid_grant" error I can't ask user to grant access to their calendar again - because the user is offline.
2) If the user changes their password once a month, they would have to grant access to their calendar in my app once a month too. Not really convenient for the user.
And honestly, this policy doesn't make much sense to me. User granted my app access to their calendar and changing password has nothing to do with it. User can remove their calendar from my app, or remove my app from the list of authorized apps in their Microsoft account settings.
I found the article Configurable token lifetimes in Azure Active Directory which says:
the default lifetimes of refresh tokens issued to these flows is until-revoked, cannot be changed by using policy, and will not be revoked on voluntary password resets
However, despite my app is not a public app (Treat application as a public client is set to "No"), refresh tokens expire after one year and on password change.
The same article also says:
After May 1, 2020 you will not be able to use Configurable Token Lifetime policy to configure session and refresh tokens.
My question: Is it possible to have refresh tokens that do not expire when user changes password to their Microsoft account?