We are currently looking into creating a mobile app with react native (expo). The whole authentication stuff works now after a bit of tinkering. But whats a problem for us is that apparently you are not able to get refresh tokens which are valid for longer than 24h when you use the code flow with PKCE.
As far as I’ve gathered from online resources it’s recommended to use PKCE for mobile apps for security reasons. But having the user login do a complete login after 24h is kind of a show stopper for us.
What other options are there to use refresh tokens which are valid for more than 24h in a secure way for mobile apps?
2
Answers
It's documented very confusingly. But it turns out if you have registered your redirect URI as a Mobile/Native app, then B2C will just use whatever refresh token lifetime you have specified even with PKCE.
So if you use the redirect URI of an SPA (and you configured it as such). It will issue 24h refresh tokens no matter what you do.
Refresh tokens issued to SPAs application (PKCE flow) cannot be managed using B2C Sessions Management and are valid for 24 hours only.
After 24 hours, the app must acquire a new authorization code to get the new access and refresh token.
The only workaround option available is to use "Keep me signed in". In order to set the KMSI checkbox checked by default, you need to use JavaScript as there is no option available for this purpose in B2C user flow or custom policy.