Azure AD B2C OpenID Connect Refresh token

Question

I followed this example https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet-susi from the Azure AD B2C documentation page

Answer 1

From the article you linked, I understand that you are trying to add sign in to you app. If signing in is your only goal, then you would not require to use the access_token. The code related to acquiring an access token is not necessary until you want to call an API/service using the access token. For the purpose of sign in the id_token should be sufficient.

Having said that, the id_token also has the one hour lifetime. To extend the session, you have a couple of options:

1. The easy option is to separate the application session lifetime from the token lifetime. You can do this by passing UseTokenLifetime = false to the OpenIdConnectAuthenticationOptions in the middleware.
2. You can associate your session lifetime with the Azure AD session lifetime. This would involve adding logic to renew your app's session by making a sign in request to Azure AD from a hidden iframe.

You can read more about these approaches and the trade offs in this blog post.