Identity disappears from the bearer token after an hour

I am working on a multi-tenant solution with Azure AD with web apps and web api. The web app uses OpenIdConnect to retrieve the bearer token (which is cached in the Redis laser cache) that Angular uses to get JSON from the web api. Custom impersonation is used between web app and web api (configured in Azure AD apps).

Problem:

This works fine for about an hour, then Identity suddenly disappears on the web avi side. If I refresh the web app I see that the page is redirected to the Microsoft login page, but no action is required as the user is simply redirected back to the web app and everything works again. As far as I can see, the web app uses the same bearer token when it fails and after refresh (same expiration time) when it runs again. AuthenticationContext.AcquireTokenSilent works in both scenarios.

I tried to increase a lot of timeouts but nothing helped. I have also disabled all bearer token authentication in the web api. I don't understand why the personality disappears and why it helps to renew the client. Any ideas?:)

Additional Information

This is how RequestContext.Principal.Identity looks like about an hour after login or refresh (in web api):

And that's about an hour later, which causes the authentication to fail:

Some code changes I tried out:

In the web api HttpConfiguration:

config.SuppressDefaultHostAuthentication();
        config.Filters.Add(
            new HostAuthenticationFilter(
                new WindowsAzureActiveDirectoryBearerAuthenticationOptions().AuthenticationType));

      

        
        
        
      

    

This changed the unauthenticated principal from WindowsPrincipal to ClaimsPrincipal, but it still doesn't work after an hour.

WindowsAzureActiveDirectoryBearerAuthenticationOptions BackChannelTimeout set to 5 days. Still fails

      

        
        
        
      

    

In web application web.config:

sessionState timeout="525600" for RedisSessionStateProvider. Still fails

      

        
        
        
      

    

In the owin auth web application, the process, the increased time interval and added acceleration. Still fails:

app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            CookieSecure = CookieSecureOption.Always,
            ExpireTimeSpan = TimeSpan.FromDays(5),
            SlidingExpiration = true,
            CookieHttpOnly = true
        });
        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                ClientId = ClientId,
                Authority = Constants.CommonAuthority,
                UseTokenLifetime = false

      

        
        
        
      

    

Update:

Extract some details: We have a hybrid MVC Angular web app. Many MVC menu items, each resulting in a single page Angular app for that menu item. MVC is used for routing, authentication and authorization. Additionally, additional claims are retrieved and added to the current main server side. Menu items are MVC controllers that are protected by the Authorized and ClaimsPrincipalPermission attributes. Since the web page will run in Azure, we changed the default sessionProvider parameter to Microsoft.Web.Redis.RedisSessionStateProvider. Only the MVC server speaks about this re-session cache. The bearer token (not the refresh token) is shared with Angular via an authorized secure MVC controller,which is then stored in browser session store (similar to using adal.js localstorage?) Angular gets JSON content from CORS API that lives on separate domain from MVC app. API and MVC app also refers to two different Azure AD apps.