Refresh tokens expire after 12 hours using Microsoft Entra External ID native authentication with OTP
Issue
We chose Microsoft Entra External ID for authenticating external consumers using CIAM after reading this article
We're using these Android & iOS clients to signup and signin users with OTP authentication
In the backend we carefully followed the instructions to set up everything needed for the Native Authentication + OTP (one time passcode) user flow documented here.
We've run into an issue with the refresh tokens that we receive when using Native Authentication
Our expectation is that our refresh tokens should be valid for 90 days because we're using native apps which should fall under the 'other scenarios' in the following statement by microsoft documented for Entra ID:
The default lifetime for the refresh tokens is 24 hours for single page apps and 90 days for all other scenarios.
However our refresh tokens expire after 12 hours, which leads to a bad UX in our app due to forced repeated logins
AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2024-09-25T13:42:23.0482303Z and was inactive for 12:00:00.