Skip to content

Shorter refreshToken lifetimes for improved security #8561

Description

@devinrhode2

Core Library

MSAL.js (@azure/msal-browser)

Wrapper Library

MSAL React (@azure/msal-react)

Public or Confidential Client?

Public

Documentation Location

https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/token-lifetimes.md#token-lifetimes-and-expiration

Description

Calling acquireTokenSilent with forceRefresh: true and refreshTokenExpirationOffsetSeconds set to 15 minutes results in exp set to 2.5 hrs, but I would have expected this to be 15 minutes.

I see accessTokens can be configured down to 10 minutes:
https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes#access-id-and-saml2-token-lifetime-policy-properties

But here, I read that, if you have a refreshToken, you essentially have an accessToken: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/token-lifetimes.md#refresh-tokens

(I am therefore unsure what purpose a refreshToken serves in terms of security. Under what circumstances can a non-expired refreshToken not be used to get an accessToken? I suppose an accessToken could be stolen by an actor inspecting http headers, and that actor doesnt necessarily have a refreshToken, and further, if everything goes right, even if that actor got the refreshToken, they can't simply redeem that refreshToken for a new accessToken... because they are missing some values from session/localStorage, which only the client has..... Is this correct?)

My goal is to figure out how to set an idle time of, say, 30 minutes, where a client's tokens will no longer be valid, and interaction would be required to resume session. To keep a session active without bothering the user too much, we would call acquireTokenSilent with forceRefresh: true when a user goes idle, and 5 minutes before the expiration time. To get new tokens our js would need to validate the microsoft session is still active. If a user independently logged out of Microsoft, they would have to log back in to get new tokens.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationRelated to documentation.msal-browserRelated to msal-browser packagemsal-reactRelated to @azure/msal-reactpublic-clientIssues regarding PublicClientApplicationsquestionCustomer is asking for a clarification, use case or information.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions