acquireTokenSilent() not emitting ACQUIRE_TOKEN_FAILURE event with an expired refresh token.

[PaoloCuscela]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

2.30.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.0.0

Public or Confidential Client?

Public

Description

Hi,

I'm running an Angular application on a mobile device through Ionic/Capacitor.

The issue I'm facing is that when the cached refresh token is expired the acquireTokenSilent promise is never resolved or rejected, preventing me from triggering the authentication flow. Neither the ACQUIRE_TOKEN_FAILURE event is emitted.

This is happening on an iPhone device.

I tried to edit the AD B2C Manifest to the following, including ionic://localhost as it is the origin of the device:

"replyUrlsWithType": [
        {
            "url": "ionic://localhost",
            "type": "Spa"        # I've also tried "Web"
        },
        {
            "url": "https://localhost",
            "type": "Spa"
        },
        {
            "url": "http://localhost",
            "type": "Spa"
        },
...

Error Message

No response

MSAL Logs

⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : @azure/msal-browser@2.30.0 : Verbose - Emitting event to callback 9e8b361a-2f57-4a52-bb6f-4b26eac9e0cd: msal:acquireTokenFromNetworkStart ⚡️ [log] - AuthAzureService >>> Evento non gestito {"eventType":"msal:acquireTokenFromNetworkStart","interactionType":"silent","payload":{"scopes":["openid","profile"],"forceRefresh":true,"account":{"homeAccountId":"","environment":"","tenantId":"","username":"","localAccountId":"","name":"terapeuta Test","idTokenClaims":{"ver":"1.0","iss":"","sub":"","aud":"","exp":1710339925,"nonce":"","iat":1710329125,"auth_time":1710329088,"oid":"","name":"","given_name":"","family_name":"","emails":[""],"tfp":"","nbf":1710329125}},"correlationId":"","authority":"","authenticationScheme":"Bearer"},"error":null,"timestamp":1710859187058} ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Initializing BaseAuthRequest ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Authentication Scheme set to "Bearer" as configured in Auth request ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - initializeServerTelemetryManager called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - getClientConfiguration called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - getDiscoveredAuthority called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Creating discovered authority with configured authority ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Refresh token client created ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : @azure/msal-common@7.6.0 : Verbose - RefreshTokenClientAcquireTokenWithCachedRefreshToken called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : @azure/msal-common@7.6.0 : Verbose - RefreshTokenClientAcquireToken called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : @azure/msal-browser@2.30.0 : Verbose - Refresh token expired/invalid or CacheLookupPolicy is set to Skip, attempting acquire token by iframe. ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - acquireTokenByIframe called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - initializeAuthorizationRequest called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - getRedirectUri called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Initializing BaseAuthRequest ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Authentication Scheme set to "Bearer" as configured in Auth request ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Setting validated request account ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - initializeServerTelemetryManager called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - getClientConfiguration called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - getDiscoveredAuthority called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Creating discovered authority with configured authority ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - Auth code client created ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : msal.js.browser@2.30.0 : Verbose - initializeAuthorizationRequest called ⚡️ [log] - [Tue, 19 Mar 2024 14:39:47 GMT] : [3c410be1-db96-4ae5-b648-df5411f1d32a] : @azure/msal-common@7.6.0 : Verbose - createAuthCodeUrlQueryString: Adding login_hint from account

Network Trace (Preferrably Fiddler)

• [ ] Sent
• [ ] Pending

MSAL Configuration

export const msalConfig: Configuration = {
    auth: {
        clientId: environment.clientId,
        authority: environment.urlLogin,
        redirectUri: environment.urlApplication,
        knownAuthorities: [environment.urlLogin],
    },
    cache: {
        cacheLocation: BrowserCacheLocation.LocalStorage,
        storeAuthStateInCookie: isIE,
    },
    system: {
        loadFrameTimeout: 6000,
        windowHashTimeout: 60000,
        iframeHashTimeout: 10000,
        loggerOptions: {
            logLevel: LogLevel.Verbose,
            loggerCallback: (level, message, containsPii) => {
                if (containsPii) {
                    return;
                }
                switch (level) {
                    case LogLevel.Error:
                        console.error(message);
                        break;
                    case LogLevel.Info:
                        console.log(message);
                        break;
                    case LogLevel.Verbose:
                        console.log(message);
                        break;
                    case LogLevel.Warning:
                        console.warn(message);
                        break;

                    default:
                        break;
                }
            },
            piiLoggingEnabled: false,
        },
    },
};

Relevant Code Snippets

const accounts = this.msalService.instance.getAllAccounts();
if (accounts.length) {
  this.msalService.instance.setActiveAccount(accounts[0]);
  console.log('AuthAzureService >>> Trovato un account loggato, chiamo la check token');
  this.msalService.instance
    .acquireTokenSilent({
      scopes: ['openid', 'profile'],
      forceRefresh: true,
      account: this.msalService.instance.getActiveAccount(),
    })
    .then((authResult: any) => {
      console.log('AuthAzureService >>> Azure è già autenticato, token:', authResult.idToken);
      this.autenticazioneAzureEseguita.emit(true);
    })
    .catch((error: any) => { // Does not reach here
      console.error("AuthAzureService >>> Errore durante l'acquisizione del token", error);
      this.sessioneScaduta.emit();
    });
} else {...}

///////////

this.msalService.instance.addEventCallback((event: any) => {
  switch (event.eventType) {
    case EventType.LOGIN_SUCCESS:
      console.log('AuthAzureService >>> Evento da azure: LOGIN OK');
      const account = event.payload.account;
      this.msalService.instance.setActiveAccount(account);
      break;
    case EventType.ACQUIRE_TOKEN_BY_CODE_FAILURE: 
    case EventType.ACQUIRE_TOKEN_FAILURE: // Does not reach here
      console.log('AuthAzureService >>> Evento da azure: TOKEN NON VALIDO');
      this.sessioneScaduta.emit();
      break;
    default:
      console.log('AuthAzureService >>> Evento non gestito', event);
      break;
  }
});

Reproduction Steps

1. Log in to Azure B2C
2. Wait 14 days as it is the refresh token lifetime
3. Try to acquire the token

Expected Behavior

I expect the catch callback of the acquireTokenSilent() function to be called or the ACQUIRE_TOKEN_FAILURE event to be emitted so I can trigger a new authentication flow.

Identity Provider

Azure B2C Basic Policy

Browsers Affected (Select all that apply)

Safari, Other

Regression

No response

Source

External (Customer)

[raszagar]

Hello, I have seen that you say that the login in Angular Ionic works for you. I know you from this stackoverflow thread: https://stackoverflow.com/questions/69391322/ionic-and-msal-authentication

I can't get it to work for me.

Could you tell me where I can find information so that it works on a mobile device? I have uploaded an example of my code at:

https://github.com/raszagar/DemoOauth2AngularIonic

Thanks!

[tnorling]

Please try updating to the latest version (currently 3.13.0) and let us know if this is still a problem.

[microsoft-github-policy-service[bot]]

@PaoloCuscela This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.