none
Oauth refresh token and how to refresh that? RRS feed

  • Question

  • Hi

    I´m trying to implement a mobile app using oauth in ADFS 3.0

    Everything is working except that the user must reauthenticate every 8 hour.

    I know this is determined by the SsoLifetime in ADFS which defines the Oauth refresh token life time.

    My understanding is that if the application is used with in the life time of the refresh token, users should not have to reauthenticate.

    However, the only way I can see this happening is that the refresh token is also renewed at the same time a new access token is requested if the account witch the refresh token represent is unchanged?

    Is this correct?

    /Johan

    Wednesday, February 28, 2018 8:45 AM

All replies

  • Wednesday, February 28, 2018 5:44 PM
    Moderator
  • Great, then I wasn’t totally lost. 😊

    The two websites referenced are very good

    Parameters are set according to those.

    However, when I troubleshoot this I can’t see that I get an updated refresh token, I only see a new access token.

    Does anyone know if this is possible to accomplish using Microsoft ADFS 3.0 or 4.0?

    I find it very hard to find good documentation/examples on oauth i ADFS.


    • Edited by HSTD76 Thursday, March 1, 2018 9:11 AM
    Thursday, March 1, 2018 8:17 AM
  • The thing is that you don't need a new refresh token. All you care about is getting a new access token so you can continue to access API.

    The refresh token plays no part in authentication.

    So as long as the refresh token is valid, there is no point in sending a new one.

    As long as you keep getting access tokens, you are good to go.

    Thursday, March 1, 2018 6:21 PM
    Moderator
  • I have to disagree on that one.

    I’ll give an example and the usage hours are just an illustration.

    By default refresh token is valid for 8h.

    If a user uses a mobile app every fifteen minutes during 12h he/she will still be logged off after approximately 9h even though the app is frequently used.

    This can’t be the way things is supposed to function? If a user uses the app within 8h he/she should get 8 new hours when refreshing the access token?

    Friday, March 2, 2018 7:55 AM
  • Access token is valid for 1 hour.

    Refresh token is valid for 8 hours.

    Access token about to expire after 1 hour - send refresh token - get new access token.

    Repeat for next 7 hours.

    Access token and refresh token about to expire - send refresh token - get new access token and new refresh token.

    Rinse and repeat.

    Friday, March 2, 2018 8:11 AM
    Moderator
  • OK, that sounds interesting!

    Thank you nzpcmad1 for your patience.

    I’m still not convinced about the flow though.

    I see a problem when a user authenticates, is idle for 6h, uses the app, then is idle for 2h and tries to use it again, then he/she will have to authenticate again?

    What is the “time window” for “about to expire”? Is it configurable?

    Friday, March 2, 2018 10:52 AM
  • When the refresh token expires you have to re-authenticate.

    It's exactly the same as when a cookie expires.

    Yes - it is configurable - see the links I referenced.

    Sunday, March 4, 2018 6:48 PM
    Moderator
  • Of cause I’ll have to authenticate if the RT is expired but you’re mentioning something that you call “about to expire”.

    The only two values I can find on those links is TokenLifetime and SsoLifetime

    How is “about to expire” determined?

    I’m looking for a way to refresh the RT without having to reauthenticate. Can MS AD FS 3.0 do this?

    Monday, March 5, 2018 8:34 AM
  • Is it the same for Outlook ADAL enable clients?  if outlook auth completed after how many days will prompt for password again. Does it same value in refresh token ?
    Wednesday, April 18, 2018 11:13 AM
  • Never used Outlook with ADAL but I guess the values are the same as documented above.

    So you will be prompted after 8 hours.

    Wednesday, April 18, 2018 7:09 PM
    Moderator