Auto "Sign In" User without Token

[aherrick]

In testing, every time I reload the App in Visual Studio I'm redirected back to the MSFT Sign In dialog. My account is already "Signed In" so all I'm doing is having to click my Account which redirects me back to the App.

I get that is due to not having a token in memory, however is there anyway to auto login so I don't have to "click through" ?

[mark-szabo]

Hi @aherrick, sure, there's a way to solve this: You need to use a persistent storage for the token cache (for example a database). When you restart the server (clear the cache) the user needs to get a new token and by design this is done by making a request to AzureAD. Having a persistent storage for tokens will prevent this, as you will still have the token after restarting the server. Let us know if you have more questions!

[aherrick]

Hi Mark, Thanks! Makes sense. Additionally, how long does that token last for? Is there a good way to check?

Also, image the scenario where I'm doing AJAX calls to my server to retrieve Graph data. Say I can't find a token (or assuming the token is expired) I notice the code sample will force a challenge httpContext.ChallengeAsync Obviously this wouldn't provide desired results in an AJAX call.

How might you recommend handling this scenario? Appreciate the help!

[mark-szabo]

Very good question! I have no official info about this, @jamescro can you please help us? Meanwhile I did a small test: If you add a breakpoint here, you will get your access token. You can test the token with this site (https://jwt.io/) and it will decode the token like this: I have highlighted the "exp" value, which is the expiration date hardcoded into the token. In my timezone this is Wednesday, November 22, 2017 12:08:04 AM GMT+01:00. (The token was created on Tuesday, November 21, 2017 11:03:04 PM GMT+01:00.) So the validity was a bit more than 13 hours. Concluding, yes, there should be a way to get out the expiration date from the token.

Answering your other question: In my opinion, requesting the token by the backend without being able to redirect isn't the best way. If you are writing a Single-Page App, I'd go with a client side implementation of the Graph SDK. Here you can find a very helpful tool on choosing the best SDK to get you started: https://developer.microsoft.com/en-us/graph/quick-start

[jamescro]

The answer to this question -- how long does an access token last? -- doesn't have a simple answer. You can refer to this document for authoritative guidance on access token lifetimes.

[aherrick]

Thanks for the answers!

So the solution to refreshing/requesting a new token via AJAX is to just use JS Graph SDK? Seems there has to be a better way. I'm not necessarily writing a Single Page app, I just need to have confidence when the AJAX request for data happens I have a valid token to hit the Graph.

[mark-szabo]

It was just an idea. How do you get the access token for the first time? In theory if the token is missing or expired, you should start over the login pipeline to get a new token (easier if you have a refresh token).

[aherrick]

The first time is no problem as page loads the Controller/Action through the ASP.NET Core pipeline and kicks them to MSFT Auth if no token. I guess in theory this is only a problem if the user were to leave their page/browser up for more than 13 hours (per your token life) and try to preform an AJAX data request.

Could it be possible to return the authentication URL in the JSON result, then kick them over via JS?

Appreciate the discussion!

[mark-szabo]

I think you have a sign-in action somewhere. I’m not a pro of AD sign-in pipeline, but I’d just return an error, that the token is not valid and then AJAX can redirect to the sign-in action to get a new token.

[aherrick]

This makes sense! Just simply have an Action that was responsible for doing the call to Challenge.

Thanks for the help!

[mark-szabo]

I'm glad that we were able to help! Please don't hesitate to contact us if you have any other questions!