If token needs to be refreshed and AAD is down, MsalNode crashes

[bgavrilMS]

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

1.17.3

Wrapper Library

Not Applicable

Wrapper Library Version

n/a

Public or Confidential Client?

Both

Description

Existing implementation of pro-active token refresh (based on refresh_in) does not seem right. Note that this is only implemented in AcquireTokenSilent - so it affects both Public Client and Confidential Client (web site).

Scenario:

1. app gets a token from ESTS with expires_in 60 min and refresh in = 30 min
2. after 45 min an ESTS outage happens
3. app requests the token to MSAL. MSAL makes a requests goes to ESTS but ESTS is down

Actual: UI required exception and app is blocked during ESTS outage Expected: exception should be silent and token should be returned from cache (it is still valid!)

See https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/0648d17c0923e44ac525b36ca926828db4776716/lib/msal-common/src/client/SilentFlowClient.ts#L129 for code

See https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview?path=/RefreshAtExpirationPercentage/overview.md&version=GBdev&anchor=key-case-sensitivity for spec - particularly acceptance test 3

Error Message

No response

Msal Logs

No response

MSAL Configuration

AcquireTokenSilent is affected by this, when CAE is enabled - LLT tokens + refresh_in is given to MSAL.

Relevant Code Snippets

n/a

Reproduction Steps

see above

Expected Behavior

see above

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Other

Regression

No response

Source

Internal (Microsoft)

[bgavrilMS]

@Robbie-Microsoft is looking at using refresh_in correctly for client_credentials, I would think we can come up with a solution everywhere.