search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.64k stars 2.65k forks source link

Refresh token lifetime #4613

Closed ionut-gheorghe closed 2 years ago

ionut-gheorghe commented 2 years ago

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.22.1

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.1.2

Description

Is there a way to avoid asking for user password (performing an interactive flow) after 24 hours of continuous use?

{ "error": "invalid_grant", "error_description": "AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of 1.00:00:00, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on 2022-03-18T11:17:54.4321315+00:00." }

MSAL Configuration

No response

Relevant Code Snippets

No response

Identity Provider

Azure AD / MSA

Source

External (Customer)

jo-arroyo commented 2 years ago

@ionut-gheorghe After the refresh token has expired, the library should catch these errors and silently renew the tokens. It's only when this fails that interaction is required. Please take a look our docs here for more information about token renewal. If the docs do not answer your question, please provide verbose logs and your configuration and code snippets so we can debug your issue.

ionut-gheorghe commented 2 years ago

My application/feature does http calls every 60 seconds. Looking at the source code of the interceptor, the aquireTokenSilent is invoked when there is a http call. Lets say that this call is done 60 seconds after the refresh token is expired, the call to {tenant}/oauth2/v2.0/token it will result in an error (bad request 400) with the response above shown and invoking interactive flow.

jo-arroyo commented 2 years ago

@ionut-gheorghe Are you able to send me verbose logs? My email is in my Github profile.

ionut-gheorghe commented 2 years ago

I have launched locally the app in verbose mode just after I saw your response but my PC decided to restart, so I have to wait another 24 hours...

ionut-gheorghe commented 2 years ago

I finally have the logs, I will have then sent to your email this afternoon

Edit. Logs sent

ghost commented 2 years ago

This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @samuelkubai please follow up.

sameerag commented 2 years ago

@jo-arroyo assigning this to you as you seem to have the logs sent.

ellymakuba commented 2 years ago

@ionut-gheorghe thank you for providing the logs. After 24hr after the refresh token expires MSAL will attempt to silently renew the refresh token and if that succeeds the user should not need to sign in again. This may fail if the user's AAD session has expired or if they have 3rd party cookies blocked. The server logs indicate that either the user's session has expired or 3rd party cookies are blocked which is why it returns a login_required error which must be resolved with an interactive login. As a result we believe MSAL and angularjs are working as designed.

ghost commented 2 years ago

@ionut-gheorghe This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

bastek338 commented 11 months ago

@ionut-gheorghe could you tell me, how did you resolved this issue?

brahmaiahthota commented 9 months ago

@ionut-gheorghe Do you resolved this issue? Please let me know in details about this I am also facing the same issue...

julian-alarcon commented 7 months ago

This error may came up a lot now that Chrome will be implementing the third party cookie blocking (Firefox and Chrome already do that by default). You probably need to use acquireTokenPopup or acquireTokenRedirect as a fallback when there is an error in the authentication.

    if (!apiData && inProgress === InteractionStatus.None) {
      instance
        .acquireTokenSilent(accessTokenRequest)
        .then((accessTokenResponse) => {
          // Acquire token silent success
          let accessToken = accessTokenResponse.accessToken;
          // Call your API with token
          callApi(accessToken).then((response) => {
            setApiData(response);
          });
        })
        .catch((error) => {
          if (error instanceof InteractionRequiredAuthError) {
            instance.acquireTokenRedirect(accessTokenRequest);
          }
          console.log(error);
        });
    }

More information here: https://learn.microsoft.com/en-us/entra/identity-platform/scenario-spa-acquire-token

I tested successfully the mentioned fix with msal-react v1 (msal-browser v2) and msal-react v2 (msal-browser v3). I wanted to use the latest but there is a bug related with jest in the v2 of msal-react (https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/6487).