OAuth 2.0 refresh token and access token max length

d d 20 Reputation points
2024-04-19T05:38:20.55+00:00

I have created an App Registration in the Azure portal.

What are the maximum token lengths for Access and Refresh tokens, when user login using app's clientid .

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,529 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anand Prakash Yadav 5,845 Reputation points Microsoft Vendor
    2024-04-19T11:55:21.2266667+00:00

    Hello d d,

    Thank you for posting your query here!

    The exact maximum length of Access and Refresh tokens in Azure Active Directory B2C is not explicitly specified in the official documentation. However, it’s important to note that these tokens are JSON Web Tokens (JWTs) and can vary in size based on the number of claims and other information they contain.

    In general, it’s recommended to be prepared to handle tokens up to 2KB in size in your applications. This is not a strict limit but a suggested size to ensure your application can handle tokens of varying sizes.

    As for the lifetimes of Access tokens in Azure Active Directory B2C:

    The lifetime of the OAuth 2.0 bearer token and ID tokens is configurable. The default is 60 minutes (1 hour). The minimum (inclusive) is 5 minutes. The maximum (inclusive) is 1,440 minutes (24 hours).

    Similarly, In Azure Active Directory B2C, the lifetime of a Refresh Token is as follows:

    The maximum time period before which a refresh token can be used to acquire a new access token, if your application had been granted the offline_access scope, is 90 days. The default is 14 days. The minimum (inclusive) is one day.

    For details: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-user-flow#token-lifetime-behavior

    Similar queries for reference: https://learn.microsoft.com/en-us/answers/questions/1631489/what-are-the-maximum-token-lengths-for-access-and

    https://learn.microsoft.com/en-us/answers/questions/501381/what-is-length-of-the-refresh-token

    I hope this helps! Please let me know if the issue persists or if you have any other questions.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

    0 comments
  2. Navya 4,000 Reputation points Microsoft Vendor
    2024-04-26T06:02:54.37+00:00

    Hi @d d

    Thank you for posting this in Microsoft Q&A.

    JSON Web Tokens (JWTs) are used to encode the access token and refresh token. The size of a JWT is impacted by the claims it contains in terms of number and size. The more claims you request, the larger the token size.

    Using a JWT decoder and measuring the length of the decoded token can help you estimate the token's exact size, although there is no definitive answer. A typical access token for Graph API might be around 1.5 KB, and a typical refresh token might be around 1 KB. However, these are only rough estimates, and the actual size may vary depending on the app and the user.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote" it.