Refreshing tokens before they expire

[scsloan]

I work for a food manufacturing company who is currently looking to move all authentication and authorization for their web based software to AzureAD. We are single tenant and all our software is hosted in house and so we would start by using AzureAD for just SSO. One of the items I am looking into is "In the event of an internet outage or azure outage, how can we minimize downtime of the software." To help solve this, I have, through azure policy, adjusted the lifetime of our access token to their maximum as the threat of token leakage is small since everything is in house.

Even though our access tokens have a long lifetime, I want to be able to refresh the access token at a more frequent interval. Say for example, every 4 hours they get a new token that is good for another 24. Reason being is shift work.

Looking for guidance here and a little bit of direction. Thanks in advance.

[jmprieur]

If you extended the token lifetime (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes), MSAL.NET (used by Microsoft.Identity.Web) will proactively refresh the token as explained in Pro-Active Token renewal.

This happens based on Azure AD's guidance which emits an optimized date for refresh (the refresh-in).

@scsloan : does it work for you, or do you need more control?

[scsloan]

@jmprieur This is great and it gets us most of the way there. The only additional control I would like to see is that we could override the "optimized date" with a more specific timespan based on business requirements. If this is currently available any documentation or code sample on setting this would be most helpful.

[jmprieur]

you could also force the renewal of the token when you wish by:

• adding a timer (the period you want)
• and re-requests a token for the scope you want

  • for instance if you use IDownstreamWebApi.CallWebApiForUserAsync, you could override the ForceRefresh property of the TokenAcquisitionOptions as shown here:

    microsoft-identity-web/tests/IntegrationTests/IntegrationTestService/Controllers/WeatherForecastController.cs

    Line 79 in d39e578

    options.TokenAcquisitionOptions.ForceRefresh = true;

  • or, if you use ITokenAcquisition.GetTokenForUser, method, you can, in the same way override the options

Note that, is you are using client credentials (daemon scenarios), there is no refresh token, so doing it on IDownstreamWebApi.CallWebApiForAppAsync / ITokenAcquisition.GetTokenForUser won't be useful.