Closed ionut-gheorghe closed 2 years ago
@ionut-gheorghe After the refresh token has expired, the library should catch these errors and silently renew the tokens. It's only when this fails that interaction is required. Please take a look our docs here for more information about token renewal. If the docs do not answer your question, please provide verbose logs and your configuration and code snippets so we can debug your issue.
My application/feature does http calls every 60 seconds. Looking at the source code of the interceptor, the aquireTokenSilent is invoked when there is a http call. Lets say that this call is done 60 seconds after the refresh token is expired, the call to {tenant}/oauth2/v2.0/token
it will result in an error (bad request 400) with the response above shown and invoking interactive flow.
@ionut-gheorghe Are you able to send me verbose logs? My email is in my Github profile.
I have launched locally the app in verbose mode just after I saw your response but my PC decided to restart, so I have to wait another 24 hours...
I finally have the logs, I will have then sent to your email this afternoon
Edit. Logs sent
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @samuelkubai please follow up.
@jo-arroyo assigning this to you as you seem to have the logs sent.
@ionut-gheorghe thank you for providing the logs. After 24hr after the refresh token expires MSAL will attempt to silently renew the refresh token and if that succeeds the user should not need to sign in again. This may fail if the user's AAD session has expired or if they have 3rd party cookies blocked. The server logs indicate that either the user's session has expired or 3rd party cookies are blocked which is why it returns a login_required error which must be resolved with an interactive login. As a result we believe MSAL and angularjs are working as designed.
@ionut-gheorghe This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.
@ionut-gheorghe could you tell me, how did you resolved this issue?
@ionut-gheorghe Do you resolved this issue? Please let me know in details about this I am also facing the same issue...
This error may came up a lot now that Chrome will be implementing the third party cookie blocking (Firefox and Chrome already do that by default).
You probably need to use acquireTokenPopup
or acquireTokenRedirect
as a fallback when there is an error in the authentication.
if (!apiData && inProgress === InteractionStatus.None) {
instance
.acquireTokenSilent(accessTokenRequest)
.then((accessTokenResponse) => {
// Acquire token silent success
let accessToken = accessTokenResponse.accessToken;
// Call your API with token
callApi(accessToken).then((response) => {
setApiData(response);
});
})
.catch((error) => {
if (error instanceof InteractionRequiredAuthError) {
instance.acquireTokenRedirect(accessTokenRequest);
}
console.log(error);
});
}
More information here: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-acquire-token
I tested successfully the mentioned fix with msal-react v1 (msal-browser v2) and msal-react v2 (msal-browser v3). I wanted to use the latest but there is a bug related with jest in the v2 of msal-react (https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/6487).
Core Library
MSAL.js v2 (@azure/msal-browser)
Core Library Version
2.22.1
Wrapper Library
MSAL Angular (@azure/msal-angular)
Wrapper Library Version
2.1.2
Description
Is there a way to avoid asking for user password (performing an interactive flow) after 24 hours of continuous use?
{ "error": "invalid_grant", "error_description": "AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of 1.00:00:00, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on 2022-03-18T11:17:54.4321315+00:00." }
MSAL Configuration
No response
Relevant Code Snippets
No response
Identity Provider
Azure AD / MSA
Source
External (Customer)