Azure AD B2C OpenID Connect Refresh token

问题

I followed this example https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-web-dotnet-susi from the Azure AD B2C documentation page on the Microsoft site. Got it working fine but the problem is that the access token has a one hour lifetime and after that hour the user needs to re-login. I don't want to extend the access_token lifetime but would like to refresh the token before the access_token is expired. How can I achieve this?

The source code can be found here: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi

回答1:

From the article you linked, I understand that you are trying to add sign in to you app. If signing in is your only goal, then you would not require to use the access_token. The code related to acquiring an access token is not necessary until you want to call an API/service using the access token. For the purpose of sign in the id_token should be sufficient.

Having said that, the id_token also has the one hour lifetime. To extend the session, you have a couple of options:

1. The easy option is to separate the application session lifetime from the token lifetime. You can do this by passing UseTokenLifetime = false to the OpenIdConnectAuthenticationOptions in the middleware.
2. You can associate your session lifetime with the Azure AD session lifetime. This would involve adding logic to renew your app's session by making a sign in request to Azure AD from a hidden iframe.

You can read more about these approaches and the trade offs in this blog post.

回答2:

The MSAL library (which is being used to exchange the code for the token in the sample) automatically calls the Azure AD B2C endpoint to exchange the refresh_token for a new access_token. You shouldn't need to deal with it.

回答3:

IIRC there is no option available to auto renew from the library it self but there are multiple options you can adopt to achieve that... Simple one is from JavaScript

1. Put a timeout function in JS and make that trigger before token going to expire. You can get that from token expiration time.
2. Trigger MVC action / REST API method from JS and get new accestoken from B2C and update accestoken with new one.

来源：https://stackoverflow.com/questions/45438804/azure-ad-b2c-openid-connect-refresh-token