I am building a SPA application that call multiple resources using Azure AD.
I reached the following documentation to have an application calling multiple resources:
https://docs.microsoft.com/en-us/previous-versions/azure/dn645538(v=azure.100)
I am using an authorization code with pkce to get the initial token and then using the refresh to get the other ones.
The main problem is that I am not comfortable in storing a longtime refresh_token on a SPA application. Although I can use the refresh_token to get the tokens that I want and then discard it, I think is a bad for governance decision leaving this responsibility to the SPA application.
So, I look for ways of customizing the token lifetime, and reached:
https://docs.microsoft.com/en-US/azure/active-directory/develop/active-directory-configurable-token-lifetimes
The problem here is that the configuration is per resource and not by client application.
Imagine that I have one SPA, one confidential client and distinct resources that both will access.
Makes sense to me, that the tokens given for client1 will expire more frequently than the tokens given for client2. The documentation listed say how to that on resource level, independently of the client.
If anyone can help with the following questions I will be glad:
Is there a way of doing that on a client application level?
Is possible to prevent refresh_tokens of generating new refresh_tokens?
In some pages of the documentation of token lifetime configuration there is a warning saying that it is about to change. Is There a date? Is there any preview or release notes to see what will change?