The otp used in Azure B2C in the displaycontrol / email verification has the following parameter:
ReuseSameCode: Whether a duplicate code should be given rather than generating a new code when given code has not expired and is still valid. The default value is false.
My question - when enabling this, we noticed that the code is only kept within the same browser session, ie if the user accidentally closes their browser and comes back, they're given a new code, even if they're still within the time limit for which a token is valid (we upped it to 20 minutes).
Is there any setting we can set so that the same token will be reused, even after browser restart?
No, it is tied to the session cookie of the authentication at the time. Closing the browser loses the session cookie and therefore B2C treats it as a fresh authentication.