In authentication setup for container apps the user needs to reauthenticate to the application at certain points of time, this time is not specified in the official documentation nor is it clear .
I would like to extend the session of the signed in user for as long as possible or at least find out what is the session expiry time and possible actions to reauthenticate.
I have found some mentions of fixed 8 hours for the cookie of tha AppService authentication (which should be similar to container app authentication). This I have disproved by accessing the app with a time difference of 16 hours - 5pm and 9am the next morning - without needing to reauthenticate.
When setting up container app authentication I have added two identity providers, one is a custom OIDC that relies on AzureAD B2C, and the other one is Microsoft.
My next assumption was that the identity provider's access token lifetime determines the length of the session. When I retrieve the received headers in my application there is a header X-MS-CLIENT-PRINCIPAL it is a base64 encoded json, which contains an exp (expiry) claim, this claim points to the expiry time of the access token that is issued by the identity provider:
Sign in with Microsoft - the expiry is around 1 hour, and I assumed that my session would by invalidated after this time has elapsed, however even after 4 hours I am still able to access the app without reauthenticating. I've even tried signing out of my microsoft account and this did not affect the session at all - the reverse holds however if I use Microsoft as an identity provider in my application and then sign out I will be signed out of all services that require a microsoft session.
Sign in with custom OIDC (Azure AD B2C) - the expiry is 7 days from moment of sign in for this identity provider and I have confirmed this in the exp claim. I have signed in with this identity provider at 5pm and had an expiration time of 7 days, next morning at 9am I was not required to reauthenticate however the iat (issued at) claim showed that it was set to this time of around 9am. Repeating this in a shorter time span did not have the same effect though.
What is the maximum amount of time I can configure before asking the user to reauthenticate?
Is there a way to use the access tokens from the identity provider in my application (e.g. when user's sign in with Microsoft I would like to invoke GraphApi to fetch their organization info on their behalf)?
EDIT - Additional find
When restarting the container app revision there is a series of logs of the http-auth container (the one that is responsible for authentication, and which passes enriched requests to the application), one of these logs is a setting named EasyAuthConfig which has a section login/cookieExpiration which has a value of 08:00:00 (8 hours), this is in accordance with AppService's documentation.
However it is still unclear if and how could this session could be extended? (for app service there is a /.auth/refresh endpoint, for container apps invoking this endpoint does nothing)
I have found that the property cookieExpiration is modifiable via bicep: Cookie expiration
I've also received the following suggestion on the learn.microsoft website, this script should have the same effect as the bicep deployment, however I have not verified this:
New-AzContainerAppAuthConfig @params