OAuthPrompt returns expired token

microsoft / botbuilder-dotnet

Welcome to the Bot Framework SDK for .NET repository, which is the home for the libraries and packages that enable developers to build sophisticated bot applications using .NET.

https://github.com/Microsoft/botframework

MIT License

871 stars 478 forks source link

OAuthPrompt returns expired token #1614

Closed fabio-muramatsu closed 5 years ago

fabio-muramatsu commented 5 years ago

Version

4.3.2

Describe the bug

I'm using the OAuthPrompt to authenticate the user to my bot, which runs as an AADv2 application. I can get the token correctly from the OAuthPrompt, but I noticed it returns a cached token even if it is expired. This issue is similar to the one described in #764, but I've decided to open a new one because the original issue involves more than just the expired token being returned.

To Reproduce

Use the OAuthPrompt to authenticate the user and get a token. After some time (enough for the token to expire), calling OAuthPrompt again results in the expired token being returned.

Expected behavior

If the token is expired, the OAuthPrompt should request the user to authenticate again, and return a valid token to the bot application.

[bug]

sgellock commented 5 years ago

@fabio-muramatsu this behavior is currently by design

fabio-muramatsu commented 5 years ago

Hi @sgellock, Thanks for the response. In this case, is it possible to expose the expiration date as part of the TokenResponse? The expiration field there seems to be always null:

Right now, the only way to find out if a token is expired is to actually try using it and catching the corresponding exception, which is less than ideal. I'd appreciate any suggestions here.

lghinet commented 5 years ago

hello, how can I force a refresh token, without re-login ? offline_access scope is allowed

lghinet commented 5 years ago

@sgellock can you provide a workaround ?

uniper-scott commented 5 years ago

We are also having this exact same issue. When we were using a webchat version of our bot, we did not see this issue, this was because users would not generally leave the web page open and they would get a different chat id each time, so they had to login each time they interact with the chatbot.

However, we have recently moved to MS teams for the same bot and are getting a lot of problems with expired tokens. We are now having to catch the error in a similar way, message the user to type 'logout' and log back in as a quick fix whilst we get this corrected.

I am thinking of somehow automatically logging the user back out and then sending them the oAuthPrompt again. though really, this should be able to auto refresh the token somehow.