How to add a timeout system to my API Management Developer Portal?

hampton123 1,140 Reputation points
2024-06-05T14:15:41.1133333+00:00

I have an API Management developer portal (standard tier) that I want users to be timed out of after inactivity. I've been testing my developer portal and it seems that the user will stay signed in even if they do not interact with the webpage. I am using B2C as the sign in / sign up system. How would I go about timing out users?

I've tried adjusting the "Access & ID token lifetimes" to 15 minutes in B2C however it still does not do anything. I've also adjusted the "Web app session lifetime" in B2C to 15 minutes and the user still stays signed in. What should I do? If relevant, the web app session timeout is set to "absolute". Thank you in advance.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,908 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,740 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,358 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh 6,980 Reputation points Microsoft Vendor
    2024-06-14T15:13:06.4533333+00:00

    Hi @hampton123

    Thank you for post!

    Refresh tokens issued to SPAs cannot be controlled via B2C Sessions Management and are valid for 24 hours only. So, in your case, you need to make sure that the offline_access scope is not present in the authentication request to make sure the refresh token is not issued.

    As documented under Security implications of refresh tokens in the browser, without refresh tokens or third-party cookies, the authorization code flow (as recommended by the OAuth security best current practices draft) becomes onerous when new or additional tokens are required. A full page redirect or popup is needed for every single token, every time a token expires (every hour usually, for the Microsoft identity platform tokens).

    Please check if you have added the offline_access scope for the application registered in the Azure AD B2C tenant. If it is added and consented as shown below, try removing the permission and send the authentication request again.
    226073-image.png

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.