Requesting token on every API call.

cagricaymaz commented 3 years ago

Library

[ ] msal@1.x.x or @azure/msal@1.x.x
[X] @azure/msal-browser@2.x.x
[ ] @azure/msal-node@1.x.x
[ ] @azure/msal-react@1.x.x
[ ] @azure/msal-angular@0.x.x
[ ] @azure/msal-angular@1.x.x
[X] @azure/msal-angular@2.x.x
[ ] @azure/msal-angularjs@1.x.x

Description

MSAL requests access token on every backend API call. I have seen similar topics but I couldn't find my answer. I think requesting the token on every API call is not necessary. I assume there is a way to cache it and only request when needed.

I have also checked that the access token is always changing.

Maybe, I am missing some settings part. I hope you guys can help me with this situation.

export const b2cPolicies = {
    names: {
        signUpSignIn: 'B2C_1_SIGN-UP-SIGN-UP-IN-POLICY',
        resetPassword: 'B2C_1_PASSWORD-RESET-POLICY',
        forgotPassword:'B2C_1_PASSWORD-RESET-POLICY'
    },
    authorities: {
        signUpSignIn: {
            authority: 'https://xxx/B2C_1_SIGN-UP-SIGN-UP-IN-POLICY'
        },
        resetPassword: {
            authority: 'https://xxx/B2C_1_PASSWORD-RESET-POLICY'
        },
        forgotPassword: {
            authority: 'https://xxx/B2C_1_PASSWORD-RESET-POLICY'
        }
    },
    authorityDomain: "xxx"
};

export const apiConfig: { scopes: string[]; uri: string } = {
    scopes: ['https://xxx/Scope.Read'],
    uri: environment.baseApiUrl + '/api/'
};

export function loggerCallback(logLevel: LogLevel, message: string) {
    console.log(message);
}

export function MSALInstanceFactory(): IPublicClientApplication {
    return new PublicClientApplication({
        auth: {
            clientId: 'xxx',
            authority: b2cPolicies.authorities.signUpSignIn.authority,
            redirectUri: 'http://localhost:4200',
            postLogoutRedirectUri: 'http://localhost:4200',
            knownAuthorities: [b2cPolicies.authorityDomain]
        }, 
        cache: {
            cacheLocation: BrowserCacheLocation.LocalStorage,
            storeAuthStateInCookie: isIE,
        },
        system: {
            loggerOptions: {
                loggerCallback,
                logLevel: LogLevel.Info,
                piiLoggingEnabled: false
            }
        }
    });
}

Source

[ ] Internal (Microsoft)
[X] Customer request

devInterests commented 3 years ago

I had the same issue. In my case it was with msal version 2.x. The problem was the scope. The answer had a different scope than that which had been requested. In this case, no token is found in the cache for the requested scope and a new token is requested. So check if the response contains a token for your requested scope.

tnorling commented 3 years ago

@cagricaymaz Can you share your usage where you make your token and API call? acquireTokenSilent does lookup tokens in the cache first before making a network request. Enabling verbose logs would also be helpful here. Instructions for enabling logs

cagricaymaz commented 3 years ago

Hi, @devInterests My token response's scope is the same as the requested scope.

Hi @tnorling

Can you help me to understand these logs?

[Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-angular@2.0.0-beta.0 : Verbose - MSAL Interceptor activated
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-angular@2.0.0-beta.0 : Verbose - Interceptor - getting scopes for endpoint
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - getActiveAccount: No active account
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-angular@2.0.0-beta.0 : Verbose - Interceptor - no active account, fallback to first account
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - getAllAccounts called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-angular@2.0.0-beta.0 : Info - Interceptor - 1 scopes found for endpoint
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - preflightBrowserEnvironmentCheck started
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - acquireTokenSilent called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - Initializing BaseAuthRequest
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Info - Emitting event: msal:acquireTokenStart
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - Emitting event to callback e43a83f7-1961-420f-8ad5-c04f5a3fe005: msal:acquireTokenStart
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - initializeServerTelemetryManager called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - createSilentFlowClient called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - getClientConfiguration called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - getDiscoveredAuthority called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - Creating discovered authority with request authority
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.setAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Info - Emitting event: msal:acquireTokenFromNetworkStart
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - Emitting event to callback e43a83f7-1961-420f-8ad5-c04f5a3fe005: msal:acquireTokenFromNetworkStart
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - Initializing BaseAuthRequest
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - initializeServerTelemetryManager called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - createRefreshTokenClient called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - getClientConfiguration called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - getDiscoveredAuthority called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - Creating discovered authority with request authority
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.setAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getServerTelemetry called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:49 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getThrottlingCache called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getServerTelemetry called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.setAccount called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.setIdTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getIdTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAccessTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getRefreshTokenCredential: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.getAuthorityMetadata: cache hit
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.setAccessTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - BrowserCacheManager.setRefreshTokenCredential called
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Info - Emitting event: msal:acquireTokenSuccess
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-browser@2.12.0 : Verbose - Emitting event to callback e43a83f7-1961-420f-8ad5-c04f5a3fe005: msal:acquireTokenSuccess
app-config.ts:36 [Mon, 15 Mar 2021 17:02:50 GMT] :  : @azure/msal-angular@2.0.0-beta.0 : Verbose - Interceptor - setting authorization headers

devInterests commented 3 years ago

@cagricaymaz As far as I understood, your scope in the example is ''https://xxx/Scope.Read''. But in the response the scope is "https://..../466". So there is a token in the cache for "https://..../466" but not for ''https://xxx/Scope.Read" scope. But I am not sure about that. However, what I did was debugging through msal js lib. I started by acquireTokenSilent call and get inside the call stack. There I saw what was in the cache and what I was requesting.

cagricaymaz commented 3 years ago

I have debugged all steps in msal-angular and found my solution I think. There is a system.Options.tokenRenewalOffsetSeconds set for 300seconds.

...
else if (!cachedAccessToken || TimeUtils.isTokenExpired(cachedAccessToken.expiresOn,this.config.systemOptions.tokenRenewalOffsetSeconds)) {
            // Must refresh due to expired or non-existent access_token
            return true;
        }
...

In my development environment, the access tokens expire in 300 seconds. So in my case, it is always expired. Changed it to 15 minutes and it is working as expected. I will now update the "tokenRenewalOffsetSeconds" in the settings.

Thanks for your help guys.

cagricaymaz commented 3 years ago

I have fixed the issue that I am having so I can close the topic. Thank you.

AzureAD / microsoft-authentication-library-for-js