az webapp auth update: Operation returned an invalid status ‘Bad Request’

Continuing on with what I was doing earlier about authenticated access to Azure Functions I started doing the following recently:

What it does is I first see if I have a global variable called __TempToken set on my machine and if so pull that and use it to authenticate against my Azure Function. If that fails I then call my Get-MSDeviceToken function to authenticate with Azure AD, exchange the token for a Function one, and then authenticate with that but also store it in the global variable. It’s just a convenience thing so I could avoid having to authenticate each time I was testing my script against the Function.

I realized that even after a day this cached token is valid. That’s not good. So I checked its claims:

The nbf claim stands for “not before” – i.e. that starting time of validity. And the exp claim stands for “expiry” – i.e. ending time. Subtracting the two in my case gives 2592000 seconds – which is 720 hours, or 30 days. Whoa!

So I double checked the nbf value with an epoch converter site and sure enough it is for 30th Dec.

That makes no sense. Naturally, I Googled and came across this official link on the expiration time of session tokens (session tokens are the ones issued by the Function middleware; access tokens are the ones from your identity provider). This has the following:

The authenticated session expires after 8 hours. After an authenticated session expires, there is a 72-hour grace period by default. Within this grace period, you’re allowed to refresh the session token with App Service without reauthenticating the user.

That doesn’t talk about my issue but it seems an authenticated session expires after 8 hours (this must be to do with cookies?) and you can refresh that for up to 72 hours. I don’t need this, but I tried to reduce the setting from 72 to 2 hours via the command line given there but it threw an error: Operation returned an invalid status 'Bad Request'

Not sure why it was throwing an error, but I decided to not using the command and go via Resource Explorer instead and that worked. It’s under config > authsettingsV2 and called tokenRefreshExtensionHours (has a value of 2 below).

As expected this didn’t make a difference to the session token lifetime but I figure I’ll post this workaround for anyone else who’s interested.

I am not sure what to do here so I’ll log an issue on GitHub for the 1 month access token issue I suppose. Thing is the token from Azure AD is valid for only 1 hour – and that’s all I want – so it would be good if I could reduce the validity of these. Meanwhile, this is something to be aware of.

Update: I added the following code in my Function to validate the token. As I mentioned earlier I have some code in the Function to capture the username etc. from the claims so I extended that to check the iat claim (issued at).