KMSI: Sets a persistent session cookie for the length of time you choose. It implies that even if the user closes the browser, they won't have to re-present credentials to AAD B2C the next time they visit your website. The greatest amount of time you may set this to is around 65 years.
Sets a session cookie when there is no KMSI (non persistent). If users close their browser, they must give their credentials to AAD B2C the next time they visit your website. The longest period someone may connect without re-presenting credentials for your website is 24 hours if they didn't close the browser, simply the tab.
The above criteria apply to the login and token renewal processes while using KMSI + Implicit Flow (SPA). The AAD B2C cookie is utilised and a hidden iframe is used. To issue a new AT, it employs a hidden iframe that leverages the AAD B2C session cookie.
For token renewals where the refresh token is valid, the above requirements are disregarded. The rules above only apply if the Refresh Token has expired or is not available; otherwise, this is the fallback. Otherwise, they aren't relevant because the Refresh token flow isn't reliant on cookies. Tokens are valid for a maximum of 24 hours. The OIDC refresh token flow is performed via a hidden iframe. However, you will receive a new Auth Code after the AAD B2C session cookie is processed.
KMSI + Code/PKCE (Web App) - For token renewals when the refresh token is valid, the above criteria are disregarded. The restrictions above only apply if the Refresh Token has expired or is not available. They don't apply if Refresh token isn't used because cookies aren't used. The maximum refresh token is 90 days, after which you revert to using the cookie. However, you will receive a new Auth Code after the AAD B2C session cookie is processed.
