Microsoft-graph-docs: Refresh Token Expiration

Created on 2 Feb 2016 · 10Comments · Source: microsoftgraph/microsoft-graph-docs

By the looks of it, the response from the authorization server does not include an expiration date/time for the refresh token.

The response contains (among others):

{
   expires_in: 3599,
   expires_on: 1454409471
   not_before: 1454405571
}

These are the expiration times for the access token.

The access_token and id_token properties are JSON Web Tokens, and contains the same expiration times in their iaf, nbf and exp properties.

So what about the refresh token? How long does this live?

The documentation states that the following will be an expected response:

{
    "token_type":"Bearer",
    "expires_in":"3599",
    "expires_on":"1426551729",
    "not_before":"1426547829",
    "resource":"https://graph.microsoft.com/",
    "access_token":"eyJ0eXAiOiJKV1QiLCJhb...",
    "refresh_token":"AAABAAAAvPM1KaPlrEqd...",
    "refresh_token_expires_in":"1209600",
    "scope": "Calendar.ReadWrite Directory.Read.All Files.ReadWrite Group.ReadWrite.All Mail.ReadWrite Mail.Send User.ReadBasic.All",
    "id_token":"eyJ0eXAiOiJKV1QiLCJhbGci..."
}

The property refresh_token_expires_in is not available the actual response.

Source

davidsteinsland

👍1

Most helpful comment

Trying to figure out refresh token expiry is an exercise in frustration :) I have been on this journey for a couple of years without success.

In the past 6-8 months we have moved our primary app ids to use client credential flow (app-only) to avoid refresh tokens. There are downsides of this approach however such as no app model v2 support, no dynamic consent and admin only consent ... so be aware of those.

Trying to figure out when refresh tokens expire is like running around the in the dark with a sword. Sooner or later you will stab yourself :)

LoungeFlyZ on 25 Apr 2018

😄6

All 10 comments

Any update on this, @martellaj @dkershaw10?

davidsteinsland on 19 Feb 2016

I assume their intent is to remove mention of this property based on the document changes a Microsoft employee did last night. They still missed the paragraph that mentions the property. I would ask them if their intent is to remove this information, then how are we suppose to know when this token is expired.
At least they could explain what is the behavior of attempt to get an access token from an expired refresh token? 401? 403? 400? Code="AccessDenied"? Code="Unauthenticated"? Code="NotAllowed"? or yet another undocumented code?

https://github.com/OfficeDev/microsoft-graph-docs/commit/73f92fb47fd7e83e41c571195a92bece3440584d

https://github.com/OfficeDev/microsoft-graph-docs/commit/1b08a1affcf2384df0cea909ba5a33328fd20b1a

Siern on 19 Feb 2016

Currently my best bet is that when I receive 400 Bad Request on refreshing access tokens, I conclude that the refresh token itself has expired.

Though, I would not mind a clear documented behavior of this …

Here's a response from a failed refresh request:

{
  "error": "invalid_grant",
  "error_description": "AADSTS70002: Error validating credentials. AADSTS70008: The provided authorization code or refresh token is expired. Send a new interactive authorization request for this user and resource.\r\nTrace ID: xxxxxxx\r\nCorrelation ID: yyyyyy\r\nTimestamp: 2016-02-19 07:55:11Z",
  "error_codes": [
    70002,
    70008
  ],
  "timestamp": "2016-02-19 07:55:11Z",
  "trace_id": "xxxx",
  "correlation_id": "yyyy"
}

davidsteinsland on 19 Feb 2016

As the main page doc page for "Microsoft Graph app authorization" (http://graph.microsoft.io/en-us/docs/authorization/app_authorization), it should talk about how to handle (the expiration of) refresh tokens or at least link to somewhere else that does. After reading the page I did think it was a great overview but a critical part of the process is using refresh tokens which is really missing. The sentence "In any production code, your app needs to watch for the expiration of these tokens and renew the expiring access token before the refresh token expires." is not enough to cover it.

After reading the page I spent a good while researching refresh tokens and I'm still not clear the best practice for implementing them with regards to Microsoft Graph. I found these articles on MSDN that are dated 2015 so I it's not clear if all the information is still valid.
https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks
https://msdn.microsoft.com/en-us/library/azure/dn645536.aspx

There's a lot of great samples on dev.office.com and other resources so there's no doubt I will find it. It would just be nice if it was part of the main docs.

(BTW the link at the bottom of the page links to itself and does nothing when clicked).

jimbarrett33 on 12 Jul 2016

👍2

FYI : I just found a very interesting articel about the lifetimes becoming configurable :
https://docs.microsoft.com/de-de/azure/active-directory/active-directory-configurable-token-lifetimes

Compufreak345 on 14 Dec 2016

This is definitely the doc that has all the information about token lifetimes: https://docs.microsoft.com/de-de/azure/active-directory/active-directory-configurable-token-lifetimes

yinaa on 13 Jan 2017

@yinaa, does English version of the document exist?

MNF on 1 Mar 2017

@MNF try this https://docs.microsoft.com/en-us/azure/active-directory/active-directory-configurable-token-lifetimes

brunuh on 1 Mar 2017

Doc updated with a "deprecated" mention...
"This method of controlling token lifetimes will be deprecated. While it will remain available until the replacement feature is ready, once it is deprecated token lifetime policies created using this method will cease to function."