search

AzureAD / microsoft-identity-web

Helps creating protected web apps and web APIs with Microsoft identity platform and Azure AD B2C
MIT License
668 stars 205 forks source link

GraphServiceClient token expiration on EasyAuth App Service with session lifetime cookie #2880

Open mwiedemeyer opened 1 month ago

mwiedemeyer commented 1 month ago

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.19.0

Web app

Sign-in users

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

I'm using Azure App Service EasyAuth and Microsoft.Identity.Web and Microsoft.Identity.Web.GraphServiceClient with the following code in a Blazor 8 SSR web app:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
              .AddMicrosoftIdentityWebApp(builder.Configuration)
              .EnableTokenAcquisitionToCallDownstreamApi(["user.read", "sites.read.all"])
                      .AddMicrosoftGraph()
                      .AddInMemoryTokenCaches();

The issue here is, that the user is logged in even after 1h, because of the "session" lifetime of the App Service auth cookie AppServiceAuthSession. However, the injected GraphServiceClient looses access after 1h because the token expires. Here is the detailed explanation from March without an answer.

Reproduction steps

  1. Create a blank Blazor 8 SSR app
  2. Add the code to Program.cs:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
              .AddMicrosoftIdentityWebApp(builder.Configuration)
              .EnableTokenAcquisitionToCallDownstreamApi(["user.read", "sites.read.all"])
                      .AddMicrosoftGraph()
                      .AddInMemoryTokenCaches();

builder.Services.AddScoped<MyCustomGraphService>();

(...)

app.UseAuthentication();
app.UseAuthorization();

app.MapRazorComponents<App>()
    .AddInteractiveServerRenderMode();
  1. Create a MyCustomGraphService.cs:
public class MyCustomGraphService(GraphServiceClient graphServiceClient)
{
    public async Task TestUser()
    {
        await graphServiceClient.Me.GetAsync();
    }
}
  1. Run the app, call the TestUser method with a button click. Then wait >1h and test again

Error message

Message: Lifetime validation failed, the token is expired.

Id Web logs

No response

Relevant code snippets

See reproduction steps

Regression

No response

Expected behavior

Not sure, how this should work. However I want to work with the web app even after 1h without restarting my browser.

lancebush commented 1 month ago

Were you able to find a solution for this? I am running into the same issue

mwiedemeyer commented 1 month ago

No. I hope to get an answer from Microsoft here..

JVita-Code commented 2 weeks ago

No answer yet on this? it also happens if you create a web app, in my case, I'm having an error similar to this when using asp OWIN in MVC .Net Framework app. I thought Identity.Web would handle refresh tokens by itself.