Monday, November 23, 2020

Office 365 Access vs Refresh Tokens

I had to provide a short write-up to some folks to help them with the understanding of how Office 365 and Sessions Tokens worked.  Hope this helps.

Access Token Definition
Clients use access tokens to access a protected resource. An access token can be used only for a specific combination of user, client, and resource. Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has obtained an access token can use it for extent of its lifetime. Adjusting the lifetime of an access token is a trade-off between improving system performance and increasing the amount of time that the client retains access after the user’s account is disabled. Improved system performance is achieved by reducing the number of times a client needs to acquire a fresh access token. The default is 1 hour - after 1 hour, the client must use the refresh token to (usually silently) acquire a new refresh token and access token.

Refresh Token Definition
When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. A refresh token is bound to a combination of user and client. A refresh token can be revoked at any time, and the token's validity is checked every time the token is used. Refresh tokens are reissued every time they are  used to fetch new access tokens.

Access Tokens
  • Purpose: Give users access to resources (i.e. Exchange Online, SharePoint Online, Teams).
  • Duration: Expire after 1 hour.
  • Customer Revoke: Access Tokens cannot be revoked once it has been created.
Refresh Tokens
  • Purpose: Alleviate the end user from having to continually input in their credentials and have no context to resources the user is accessing.
  • Duration: Expire after 90 days.
  • Customer Revoke: Refresh Tokens can be revoked at any time.
  • Requesting New Token: Whenever a new Access Token is requested, a new Refresh token is also provided to the requesting client (re-starting the 90 day count).
  • Evaluation of Conditions: Every time a client presents a Refresh Token to AAD to obtain a new Access Token to resources, AAD Conditional Access will revaluate all conditions defined for the tenant and then provide the client new Refresh and Access Tokens to the client.

No comments: