Open akopplinufpi opened 1 week ago
Update: Ive found that if I shift+F5 refresh, then the cookie re-appears in the browser. However this still does not explain why users are booted out after 24 hours
@akopplinufpi A SPA RT is only valid for 24 hrs by design in the default case. MSAL JS however does not control the browser cookies or the KMSI cookie presence enabling the server to issue a valid RT silently. Did you check with B2C service if they have an explanation? Support link here.
Please let me know if there is no response and I can try engage the B2C team here.
Hi @sameerag thank you for taking the time to respond! I went to create the support request, and it looks like the "Technical" issue type is not available. I went ahead and created a request anyways... Can you ping the B2C team to see if they got the request? support request number: 2409090040008015
Core Library
MSAL.js (@azure/msal-browser)
Core Library Version
^3.4.0
Wrapper Library
MSAL React (@azure/msal-react)
Wrapper Library Version
^2.0.7
Public or Confidential Client?
Public
Description
We are experiencing an issue where the user selects "Keep Me Signed In" (KMSI) when logging in. But the user is unable to get new tokens after 24 hours without interaction (acquiretokensilent VS acquiretokenredirect).
In the Microsoft documentation it is stated that the cookie used to persist the KMSI setting is called
x-ms-cpim-sso:{Id}
source: https://learn.microsoft.com/en-us/azure/active-directory-b2c/cookie-definitions
I verified that the token is being successfully stored in the browser:
The expiration date on the cookie is 90 days from today. However, when I close the browser and re-open, the cookie is no longer there. The fact that the cookie is getting deleted therefore is breaking the KMSI functionality. I have tested this in both Chrome and Edge.
Here are the SPA redirect URI's that we are using the in the app
We are using user flow
We have keep me signed in selected
Error Message
No response
MSAL Logs
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - Emitting event: msal:initializeStart main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - Emitting event: msal:initializeEnd main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - Emitting event: msal:handleRedirectStart main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - MsalProvider - msal:handleRedirectStart results in setting inProgress from startup to handleRedirect main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account jobs:1 GET https://(my-domain.com)/favicons/site.webmanifest 404 (Not Found) site.webmanifest:1 Manifest: Line: 1, column: 1, Syntax error. main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - BrowserCacheManager: addTokenKey - idToken added to map main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - BrowserCacheManager: addTokenKey - refreshToken added to map main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - Emitting event: msal:loginSuccess main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - Emitting event: msal:handleRedirectEnd main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - MsalProvider - msal:handleRedirectEnd results in setting inProgress from handleRedirect to none main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account main.be3b1d23.js:2 GET https://(my-domain.com)/api/jobs/jobdetails 401 (Unauthorized) (anonymous) @ main.be3b1d23.js:2 (anonymous) @ main.be3b1d23.js:2 xhr @ main.be3b1d23.js:2 HI @ main.be3b1d23.js:2 Promise.then (async) request @ main.be3b1d23.js:2 QT.forEach.YI. @ main.be3b1d23.js:2
(anonymous) @ main.be3b1d23.js:2
makeGetRequest @ main.be3b1d23.js:2
getAPIResponseAsync @ main.be3b1d23.js:2
loadJobData @ main.be3b1d23.js:2
loadJobDataAsync @ main.be3b1d23.js:2
(anonymous) @ main.be3b1d23.js:2
ol @ main.be3b1d23.js:2
_c @ main.be3b1d23.js:2
cc @ main.be3b1d23.js:2
Wo @ main.be3b1d23.js:2
(anonymous) @ main.be3b1d23.js:2
Cc @ main.be3b1d23.js:2
ic @ main.be3b1d23.js:2
C @ main.be3b1d23.js:2
I @ main.be3b1d23.js:2
main.be3b1d23.js:2 Unauthorized, trying to get token and retrying request. Route: jobs/jobDetails
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - Emitting event: msal:acquireTokenStart
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getAccessToken - No token found
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getRefreshToken - returning refresh token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [3e0333b9-cdf7-4819-992f-b09dafa3560f] : @azure/msal-common@14.4.0 : Info - Token refresh is required due to cache outcome: 2
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - Emitting event: msal:acquireTokenFromNetworkStart
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getRefreshToken - returning refresh token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 GET https://(my-domain.com)/api/user/userrole 401 (Unauthorized)
(anonymous) @ main.be3b1d23.js:2
(anonymous) @ main.be3b1d23.js:2
xhr @ main.be3b1d23.js:2
HI @ main.be3b1d23.js:2
Promise.then (async)
request @ main.be3b1d23.js:2
QT.forEach.YI. @ main.be3b1d23.js:2
(anonymous) @ main.be3b1d23.js:2
makeGetRequest @ main.be3b1d23.js:2
getAPIResponseAsync @ main.be3b1d23.js:2
(anonymous) @ main.be3b1d23.js:2
(anonymous) @ main.be3b1d23.js:2
ol @ main.be3b1d23.js:2
_c @ main.be3b1d23.js:2
cc @ main.be3b1d23.js:2
Wo @ main.be3b1d23.js:2
(anonymous) @ main.be3b1d23.js:2
Cc @ main.be3b1d23.js:2
ic @ main.be3b1d23.js:2
C @ main.be3b1d23.js:2
I @ main.be3b1d23.js:2
main.be3b1d23.js:2 Unauthorized, trying to get token and retrying request. Route: User/UserRole
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - BrowserCacheManager: addTokenKey - accessToken added to map
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-browser@3.5.0 : Info - Emitting event: msal:acquireTokenSuccess
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:52 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:55 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:55 GMT] : [] : @azure/msal-common@14.4.0 : Info - CacheManager:getIdToken - Returning id token
main.be3b1d23.js:2 [Tue, 03 Sep 2024 14:20:55 GMT] : [] : @azure/msal-react@2.0.7 : Info - useAccount - Updating account
Network Trace (Preferrably Fiddler)
MSAL Configuration
Relevant Code Snippets
in app.jsx, we wrap our /jobs route in a component we call.
here is the relevant code from RequireAuth
Here is the code from our API class that is responsible for getting a valid token and attaching it to network requests. After 24 hours, when a network request is made, the user is redirected to /notauthorized
If the users role is null, we we render a spinner, while the user is being redirected to B2C to sign in. You can see the scopes that are used to sign in from the MSAL Configuration above. Once the user comes back from being redirected to B2C, the user gets a token, which is then used to make an API call to get the role. Once the user has their role, they are let in to the app, which is rendered by {children}
Reproduction Steps
If you would like to reproduce this issue in our dev environment, please contact me and I will be able to get you access.
Expected Behavior
The expected behavior is that the cookie
x-ms-cpim-sso:{Id}
should not get deleted when the browser closes. it should stay in the cookies in the browser and allow the user to stay signed in for up to 90 days. What we are experiencing is that the user is again unable to retrieve a token after 24 hours without interaction.Identity Provider
Azure B2C Custom Policy
Browsers Affected (Select all that apply)
Chrome, Edge
Regression
No response
Source
External (Customer)