search

AzureAD / microsoft-authentication-library-for-js

Microsoft Authentication Library (MSAL) for JS
http://aka.ms/aadv2
MIT License
3.64k stars 2.65k forks source link

acquireTokenSilent with MSAL.js giving error #7033

Closed hsalla923 closed 5 months ago

hsalla923 commented 6 months ago

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

2.4.1

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

none

Public or Confidential Client?

Public, Confidential

Description

Core Library MSAL.js v2 (@azure/msal-browser)

Core Library Version 2.4.1

Wrapper Library Not Applicable

Wrapper Library Version None

Description When trying to renew the token with acquireTokenSilent getting 400 status for "/token" call.

Error Message {"error":"invalid_grant","error_description":"AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of 1.00:00:00, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on 2022-04-01T07:29:11.1319999+00:00.\r\nTrace ID: e0ce4356-03da-4b91-99f9-3c8efbad8b01\r\nCorrelation ID: dd0bd01d-ea85-4247-8233-cee2c9e56664\r\nTimestamp: 2022-04-08 11:53:29Z","error_codes":[700084],"timestamp":"2022-04-08 11:53:29Z","trace_id":"e0ce4356-03da-4b91-99f9-3c8efbad8b01","correlation_id":"dd0bd01d-ea85-4247-8233-cee2c9e56664","error_uri":"https://login.microsoftonline.com/error?code=700084","suberror":"bad_token"}

Msal Logs No response

Error Message

Error Message {"error":"invalid_grant","error_description":"AADSTS700084: The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of 1.00:00:00, which cannot be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on 2022-04-01T07:29:11.1319999+00:00.\r\nTrace ID: e0ce4356-03da-4b91-99f9-3c8efbad8b01\r\nCorrelation ID: dd0bd01d-ea85-4247-8233-cee2c9e56664\r\nTimestamp: 2022-04-08 11:53:29Z","error_codes":[700084],"timestamp":"2022-04-08 11:53:29Z","trace_id":"e0ce4356-03da-4b91-99f9-3c8efbad8b01","correlation_id":"dd0bd01d-ea85-4247-8233-cee2c9e56664","error_uri":"https://login.microsoftonline.com/error?code=700084","suberror":"bad_token"}

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

MSAL Configuration

export function MSALInstanceFactory(): IPublicClientApplication {
    return new PublicClientApplication({
        auth: {
            clientId: environment.CLIENT_ID,
            authority: 'https://login.microsoftonline.com/id/',
            redirectUri: `https://${window.location.host}/login`,
        },
        cache: {
            cacheLocation: 'localStorage',
            storeAuthStateInCookie: isIE, 
        }
    });
}

Relevant Code Snippets

const acounts = this.msalService.instance.getAllAccounts();
        if (acounts.length > 0) {
            return this.msalService.acquireTokenSilent({
                account: acounts[0],
                scopes: [`api://${environment.CLIENT_ID}/client:admin`]
            }).pipe(map(data => {
                localStorage.setItem(Service.PKCE_TOKEN, JSON.stringify(data));
                return data;
            }));
        }
        return null;
    }

Reproduction Steps

Reproduction Steps Initialise Graph client API with config Have getToken method which returns triggers on every graph api request Make token expired by changing the expireoOn time. Request for graph api service Then the 'acquireTokenSilent' executes but return 400 .

Expected Behavior

Expected Behavior acquireTokenSilent should return new accessToken and refresh token

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome

Regression

none

Source

Internal (Microsoft)

tnorling commented 5 months ago

This is expected behavior as the Refresh Token has a 24 hour lifetime. The 400 is caught and handled by MSAL and fallback to a different method of getting a token. That will result in either a successful response or a different error thrown by the API, if an interaction_required error is thrown you will need to catch it and invoke an interactive API.

hsalla923 commented 5 months ago

Please don't close this issue asap once you responded.

Can I know if there is a reference of implementation of " if an interaction_required error is thrown you will need to catch it and invoke an interactive API." as you mentioned please