As it turns out, the Azure Authentication Token is a fixed duration, not a sliding window. By default, it’s set to expire exactly 60 minutes after it’s issued. If users were navigating between normal pages at the time of expiration, it would bounce to the login page, automatically issue a new token and then forward them on to the destination page.
However, if they opened a form at 59 minutes and it took two minutes to fill out, then when they hit Save, they would bounce to the login page, get a new token issued automatically and then be sent back to the page with a blank form. I should note that the users didn’t actually see a sign-in screen; the only indication that it happened was a quick flash of the login URL in the browser’s address bar.
Dozens of stack overflow users encountered the same issue with no answers. Everything I could find ultimately traced back to these two resources:
- Configurable Token Lifetimes in Azure Active Directory (Public Preview)
This explains what the different tokens are and how to adjust their lifetimes using PowerShell.
- Using a Refresh Token to Renew an Expired Access Token for Azure Active Directory
This is a way within code to use the refresh token to generate a new authentication token. It seemed promising, but it didn’t work. Also, I found this same code in multiple sites, but I think that site is the originator. This code probably worked when it was posted in 2015, but Azure has been updated a bit since then.
- There is no way to configure the token lifetimes within the portal.
- The minimum lifetime that can be set on an authentication token is 10 minutes — making testing and debugging a slow process.
- There is something called a refresh token, which seems like something we’ll need but no official Azure samples that use it.
Here’s the good news: It was a pretty minor fix in our code base to make it work.
First, update the NuGet package for Microsoft.IdentityModel.Clients.ActiveDirectory to v3. We previously were using V2. This package is referred to as ADAL in much of the documentation you’ll find out there. This update will require some changes to use async in a few locations, but beyond that, is pretty seamless.
Then change our method for void
ProcessAuthorizationCodeReceived to ProcessedAuthroizationCodeReceivedAsync. Within that method, the update of the NuGet package will require a change in calling AcquireTokenByAuthorizationCode to AcquireTokenByAuthorizationCodeAsync.
Finally, just before the call to AcquireTokenByAuthroizaitonCodeAsync, add a context.AuthenticationTicket.Properties.AllowRefresh=true.
Here’s the updated function:
This article originally appeared on Sept. 26, 2017.