Azure B2C - confusing expiring fields in refresh token

Question

I am using Azure B2C for authentication in my .NET Core web api project. I am trying to renew refresh token using step outlined in documentation - https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#4-refresh-the-token.

The request parameters (using RestSharp) I am sending are below:

var request = new RestRequest();
request.Method = Method.Post;
request.AddHeader("content-type", "application/x-www-form-urlencoded");
request.AddParameter("grant_type", "refresh_token", ParameterType.GetOrPost);
request.AddParameter("client_id", CLIENT_ID_HERE, ParameterType.GetOrPost);
request.AddParameter("scope", "CLIENT_ID_HERE offline_access", ParameterType.GetOrPost);
request.AddParameter("refresh_token", OLD_REFRESH_TOKEN, ParameterType.GetOrPost);

I am getting success response, as shown below:

{
    "access_token":"eyJhbGciOiJSUzI1NiIsImtp......",
    "id_token":"eyJhbGciOiJS......",
    "token_type":"Bearer",
    "not_before":1720104657,
    "expires_in":3600,
    "expires_on":1720108257,
    "resource":"guid-here",
    "id_token_expires_in":3600,
    "profile_info":"eyJ2ZXIiO.........",
    "scope":"B2C_Client_Id offline_access openid",
    "refresh_token":"eyJraWQiOiJjcGltY29yZ...........",
    "refresh_token_expires_in":76887
}

Few response parameters - refresh_token_expires_in, expires_on, etc are not mentioned in the documentation.

Now, with respect to json response, I have few confusions/doubts:

1. The default refresh token expiry is 14 days and can be extended to 90 days. But. the value in refresh_token_expires_in is in seconds not in unix timestamps. Is that even correct?
2. The value in expires_on is a unix timesteamp and translates to 54 days. What could be expiring here?

What I could conclude here is, the expiry of 14 days or 90 days for expiry token will not be present in the json response of refresh_token_expires_in; instead it resides in B2C settings only.

Any thoughts?

Answer 1

As mentioned in this MS Document,

Single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours.

Initially, I generated the tokens using authorization code flow with PKCE via Postman and got refresh_token_expires_in as 86400 seconds (24 hours).

When I used above refresh token to acquire new access token after 30 min, I got tokens with refresh_token_expires_in value reduced by 30 min (1800 seconds):

POST https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&client_id=appId
&scope=appId offline_access openid
&refresh_token=refresh_token_value
&redirect_uri=https://jwt.ms

The value in expires_on is a unix timesteamp and translates to 54 days. What could be expiring here?

The value in expires_on refers to expiry date time of access token. You can confirm that by decoding that access token jwt.ms website, checking exp claim where values will be same:

You can also click on Claims tab that shows exact expiry date time of access token as below: